From f73800b2959b6b1620cf753a1a520abea48137a8 Mon Sep 17 00:00:00 2001 From: aled Date: Tue, 20 Sep 2022 21:30:43 +0100 Subject: [PATCH 1/2] adding code tabs --- ...e_Storage_Accounts.md => azure_storage.md} | 54 +++++++++++++++--- src/pages/contributing.md | 57 +++++++++++++++++++ 2 files changed, 103 insertions(+), 8 deletions(-) rename docs/azure/services/{Azure_Storage_Accounts.md => azure_storage.md} (97%) diff --git a/docs/azure/services/Azure_Storage_Accounts.md b/docs/azure/services/azure_storage.md similarity index 97% rename from docs/azure/services/Azure_Storage_Accounts.md rename to docs/azure/services/azure_storage.md index 1823e8e..81b41e1 100644 --- a/docs/azure/services/Azure_Storage_Accounts.md +++ b/docs/azure/services/azure_storage.md @@ -1,3 +1,6 @@ +import Tabs from '@theme/Tabs'; +import TabItem from '@theme/TabItem'; + # Azure Storage ## Overview When looking at storage of data in Azure, we have 3 main categories: @@ -130,10 +133,17 @@ Authorization="[SharedKey|SharedKeyLite] :" It's important to know that you actually have 2 access keys associated with each Storage Account. The reason for this is to facilitate key rotation, a process that should be completed periodically to mitigate the impact in the instance of key compromise. This process is typically done by migrating apps or services to use the secondary key, allowing for the primary key to be regenerated. The same process is then repeated when needing to change the secondary key. Due to this key rotation process, it is necessary to clearly track access key usage to allow for key rotation without impacting services or applications. Rotation can be checked by looking at the activity logs, which log every action of interest. For instance, if there's not been an event related to "rotation" in the last 90 days, then it's unlikely that the keys are being rotated: + + + + ```bash az monitor activity-log list -g --offset 90d | grep -i "rotate" ``` + + + Storage Account Keys are typically enticing to attackers as they provide a means of accessing storage resources without multifactor authentication, and without key expiry (except in the instance of key rotation as outlined above). These keys are also often insecurely stored in source code, with common indicators and areas to check being: * Usage of the StorageCredentials class * URIs on the `.core.windows.net` domain (SAS tokens) @@ -194,7 +204,10 @@ These combinations of service-level permissions, and Storage Account-level ones, - Want publicly accessible files in different directories? Put them in a Storage Account with "public access" enabled, and into a Blob container with access permissions set to "Container" - fully open; - Want to only allow anonymous access to specific files, but not everything? Put them into a Storage Account with "public access" enabled, but the access control for the Container holding them set to "Blob"; any other containers should be set to be "Private"; -To check the public access setting for all containers in a Storage Account (PowerShell): +To check the public access setting for all containers in a Storage Account: + + + ```powershell $storageAccount = Get-AzStorageAccount -ResourceGroupName -Name @@ -203,6 +216,9 @@ $ctx = $storageAccount.Context Get-AzStorageContainer -Context $ctx | Select Name, PublicAccess ``` + + + Due to the lack of authorisation requirements enforced in anonymous access, it is vital that anonymous access is only permitted for blobs and containers that do not contain sensitive information, and explicitly require anonymous access to satisfy intended usage requirements. More information about blob anonymous access can be found [here](https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure). @@ -219,33 +235,55 @@ Encryption at rest is done by default with a MS-managed key Controls that are commonly insecurely configured include: #### Is encryption at rest enforced? -PowerShell: + + + + ```powershell (Get-AzResource -ResourceGroupName -ResourceType Microsoft.Storage/storageAccounts -Name ).Properties.encryption | ConvertTo-Json ``` + + + #### Are HTTPS-only connections enforced? -PowerShell: + + + + ```powershell Get-AzStorageAccount -Name -ResourceGroupName | Select-Object StorageAccountName, EnableHttpsTrafficOnly ``` -Az CLI: + + + ```bash -az storage account list --query [*].[name,enableHttpsTrafficOnly] -o table --subscription ; +az storage account list --query [*].[name,enableHttpsTrafficOnly] -o table --subscription ; ``` + + + #### Are insecure TLS versions permitted? -PowerShell: + + + + ```powershell Get-AzStorageAccount -Name -ResourceGroupName | Select-Object StorageAccountName, MinimumTlsVersion ``` -Az CLI: + + + ```bash -az storage account list --query '[].{name: name, resourceGroup: resourceGroup, minimumTlsVersion: minimumTlsVersion}' --subscription -o tsv; +az storage account list --query '[].{name: name, resourceGroup: resourceGroup, minimumTlsVersion: minimumTlsVersion}' --subscription -o table; ``` + + + More information be found at the following locations: * [Encryption at rest](https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption) * [TLS](https://docs.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version) diff --git a/src/pages/contributing.md b/src/pages/contributing.md index 466f0c3..6aff8c4 100644 --- a/src/pages/contributing.md +++ b/src/pages/contributing.md @@ -1,6 +1,8 @@ # Contributing import Link from '@docusaurus/Link'; +import Tabs from '@theme/Tabs'; +import TabItem from '@theme/TabItem'; Thank you for considering contributing to this knowledge base! We welcome all input from the community. If you'd like to contribute but aren't sure where to start, pick an open issue from the GitHub repository on a topic you know something about and begin work there. Alternatively, if you see a page that needs improvement or want to add a new one all together then please go right ahead! @@ -92,3 +94,58 @@ Check the pages for [Azure MFA](/azure/services/azure_mfa) and [Azure AD](/azure * The latter is a bit less descriptive and it's even more bullet-to-the-pointy, yet also conveying the idea of structure that we're aiming at For an idea of a complete article of the "minimalistic" kind, have a look at [AWS CloudTrail](/aws/services/CloudTrail) instead. This shows the minimum info we should aim at having in an article that's not _that_ big requiring too much explanation. + +### Code Tabs Usage + +This Wiki supports [Tabs](https://docusaurus.io/docs/markdown-features/tabs) which provide a great way to format code examples for different languages. Usage is nice and simple and ends up with an object looking like this: + + + + +```bash +printf "Cloud Wiki" +``` + + + + +```powershell +Write-Host "Cloud Wiki" +``` + + + + + +First you'll need to import the required components by placing this at the top of your markdown page: + +```javascript +import Tabs from '@theme/Tabs'; +import TabItem from '@theme/TabItem'; +``` + +Then we can build the tab object. A couple of things to bear in mind: +- The `label` is the value that will appear as the tab name. +- The blank line before and after the code block within the `TabItem` is required. +- Don't indent your code block (the code block itself, you can indent code within the block as required). + +``````markdown + + + +```bash +printf "Cloud Wiki" +``` + + + + +```powershell +Write-Host "Cloud Wiki" +``` + + + +`````` + +For more examples, you can check the [Azure Storage](/azure/services/azure_storage) page. From 12d1cbadda0ec7918a43ac53dd37174371e4cd1e Mon Sep 17 00:00:00 2001 From: aled Date: Mon, 3 Oct 2022 19:56:59 +0100 Subject: [PATCH 2/2] updating rotation command --- docs/azure/services/azure_storage.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/azure/services/azure_storage.md b/docs/azure/services/azure_storage.md index 81b41e1..6a402d3 100644 --- a/docs/azure/services/azure_storage.md +++ b/docs/azure/services/azure_storage.md @@ -132,13 +132,13 @@ Authorization="[SharedKey|SharedKeyLite] :" It's important to know that you actually have 2 access keys associated with each Storage Account. The reason for this is to facilitate key rotation, a process that should be completed periodically to mitigate the impact in the instance of key compromise. This process is typically done by migrating apps or services to use the secondary key, allowing for the primary key to be regenerated. The same process is then repeated when needing to change the secondary key. Due to this key rotation process, it is necessary to clearly track access key usage to allow for key rotation without impacting services or applications. -Rotation can be checked by looking at the activity logs, which log every action of interest. For instance, if there's not been an event related to "rotation" in the last 90 days, then it's unlikely that the keys are being rotated: +Rotation can be checked by looking at the activity logs, which log every action of interest. For instance, if there's not been a key rotation event in the last 90 days, then it's unlikely that the keys are being rotated: ```bash -az monitor activity-log list -g --offset 90d | grep -i "rotate" +az monitor activity-log list --offset 90d --query "[?authorization.action=='Microsoft.Storage/storageAccounts/regenerateKey/action'].{Action:authorization.action, resourceId:resourceId, at:eventTimestamp, by:caller}" ```