Audit Azure App Service in your tenant

There are several ways to extract information of Azure App Service resources in your environment. You can use Resource Graph Explorer, Azure CLI, Azure PowerShell or Azure REST API. Depending on the information you would like to extract, the tool may vary.

This article simply provides you some notes around using PowerShell with AzureRm module to achieve your goal.

Azure PowerShell AzureRm module will be deprecated in the future. Microsoft recommends you to switch over to Az module. (https://github.com/Azure/azure-powershell/blob/master/documentation/announcing-az-module.md)

Pre-requisites

This script has been tested successfully with the following modules:

Scenario

What exactly are you going to need from your Azure App Service resources from security posture perspective? Below are list of things you would need to know:

  • Common information: resource group, location, web app name, state, subscription name (in case you’d like to extract info across all subscriptions)
  • App Service Plan: not all plans support backup and SSL so having this info helps you determine whether you want to upgrade plan.
  • HttpsOnly: to verify if your web app enables HttpsOnly. It should be always Https.
  • minTlsVersion: to verify if your web app is using non-compliant/out-of-date TLS version
  • ftpsState: to verify if your web app is allowing ftps (FTP-SSL) instead of non-secure FTP.
  • Framework version: .NET framework, PHP, Python, Node to verify if your web app hosted in a server farm is using vulnerable version.

Development

All of the information above cannot be extracted by one cmdlet like Azure-RmWebApp . For example to get App Service Plan info you need Get-AzureRmAppServicePlan .

For configuration like minTlsVersion there is a trick here. If you read SiteConfig property you will get nothing. See the sample below:

$webAppName = "azsec"
$webAppRg = "azsec-web-rg"
$webApp = Get-AzureRmWebApp -Name $webAppName -ResourceGroupName $webAppRg
$webApp.SiteConfig

The result of this code snippet is lacking many info such as MinTlsVersion or FtpsState.

...
ManagedServiceIdentityId     :
XManagedServiceIdentityId    :
IpSecurityRestrictions       :
Http20Enabled                :
MinTlsVersion                :
FtpsState                    :
ReservedInstanceCount        :

The real reason is that configuration is not actually stored in this property. It is stored in another resource type named Microsoft.Web/sites/config. Take a look at the following code snippet

$webAppName = "azsec"
$webAppRg = "azsec-web-rg"
$webApp = Get-AzureRmWebApp -Name $webAppName -ResourceGroupName $webAppRg

$config = Get-AzureRmResource -ResourceGroupName $webApp.ResourceGroup `
                               -ResourceType "Microsoft.Web/sites/config" `
                               -ResourceName "$($webApp.Name)/web" `
                               -apiVersion 2016-08-01
$config.Properties

You do need to specify API version

The result gives you information you need.

http20Enabled                          : False
minTlsVersion                          : 1.2
ftpsState                              : AllAllowed
reservedInstanceCount                  : 0
preWarmedInstanceCount                 :
healthCheckPath                        :
fileChangeAuditEnabled                 : False
functionsRuntimeScaleMonitoringEnabled : False

If you need more info, simply read $config.Properties.{config_name}

GitHub

You can find the script from this link https://github.com/azsec/azure-audit/tree/master/AppService

 

This entry was posted in Secure Development and tagged , , . Bookmark the permalink.

1 Response to Audit Azure App Service in your tenant

  1. Pingback: Cannot use the SKU Basic with File Change Audit for site » nexxai.dev

Leave a Reply