feat(arm): add CKV_AZURE_85 to ensure that Azure Defender is set to O…

…n for Kubernetes (#6279)

* added new arm policy for resource: AzureDefenderOnKubernetes

* update arm policy for resource: AzureDefenderOnKubernetes

* update arm policy for resource: AzureDefenderOnKubernetes

* update arm policy for resource: AzureDefenderOnKubernetes

* update arm policy for resource: AzureDefenderOnKubernetes

* update arm policy for resource: AzureDefenderOnKubernetes

---------

Co-authored-by: ChanochShayner <[email protected]>

checkov/arm/checks/resource/AzureDefenderOnKubernetes.py

@@ -0,0 +1,26 @@
+from __future__ import annotations
+from typing import Any
+from checkov.common.models.enums import CheckCategories, CheckResult
+from checkov.arm.base_resource_check import BaseResourceCheck
+
+
+class AzureDefenderOnKubernetes(BaseResourceCheck):
+    def __init__(self) -> None:
+        name = "Ensure that Azure Defender is set to On for Kubernetes"
+        id = "CKV_AZURE_85"
+        supported_resources = ("Microsoft.Security/pricings",)
+        categories = (CheckCategories.GENERAL_SECURITY,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,)
+
+    def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
+        return (
+            CheckResult.PASSED
+            if conf.get("name") != "KubernetesService" or str(conf["properties"]["pricingTier"]).lower() == "standard"
+            else CheckResult.FAILED
+        )
+
+    def get_evaluated_keys(self) -> list[str]:
+        return ["name", "pricingTier"]
+
+
+check = AzureDefenderOnKubernetes()

tests/arm/checks/resource/example_AzureDefenderOnKubernetes/fail.json

@@ -0,0 +1,51 @@
+{
+"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+"contentVersion": "1.0.0.0",
+"parameters": {
+    "pricing": {
+        "type": "string",
+        "allowedValues": [
+            "Standard",
+            "Free"
+        ]
+    }
+},
+
+"resources": [
+    {
+        "type": "Microsoft.Security/pricings",
+        "apiVersion": "2017-08-01-preview",
+        "name": "KubernetesService",
+        "properties": {
+            "pricingTier": "Free"
+        }
+    },
+            {
+            "type": "Microsoft.Compute/disks",
+            "apiVersion": "2023-01-02",
+            "name": "[parameters('disks_acctestmd1_name')]",
+            "location": "westus2",
+            "tags": {
+                "environment": "staging"
+            },
+            "sku": {
+                "name": "Standard_LRS",
+                "tier": "Standard"
+            },
+            "properties": {
+                "creationData": {
+                    "createOption": "Empty"
+                },
+                "diskSizeGB": 1,
+                "diskIOPSReadWrite": 500,
+                "diskMBpsReadWrite": 60,
+                "encryption": {
+                    "type": "EncryptionAtRestWithPlatformKey"
+                },
+                "networkAccessPolicy": "AllowAll",
+                "publicNetworkAccess": "Enabled",
+                "diskState": "Unattached"
+            }
+        }
+
+]}

tests/arm/checks/resource/example_AzureDefenderOnKubernetes/pass.json

@@ -0,0 +1,49 @@
+{
+"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+"contentVersion": "1.0.0.0",
+"parameters": {
+    "pricing": {
+        "type": "string",
+        "allowedValues": [
+            "Standard",
+            "Free"
+        ]
+    }
+},
+"resources": [
+
+    {
+        "type": "Microsoft.Security/pricings",
+        "apiVersion": "2018-06-01",
+        "name": "KubernetesService",
+        "dependsOn": [
+            "[concat('Microsoft.Security/pricings/default')]"
+        ],
+        "properties": {
+            "pricingTier": "Standard"
+        }
+    },
+    {
+        "type": "Microsoft.Security/pricings",
+        "apiVersion": "2018-06-01",
+        "name": "KeyVaults",
+        "dependsOn": [
+            "[concat('Microsoft.Security/pricings/SqlServers')]"
+        ],
+        "properties": {
+            "pricingTier": "Standard"
+        }
+    },
+    {
+        "type": "Microsoft.Security/pricings",
+        "apiVersion": "2018-06-01",
+        "name": "SqlServerVirtualMachines",
+        "dependsOn": [
+            "[concat('Microsoft.Security/pricings/AppServices')]"
+        ],
+        "properties": {
+            "pricingTier": "Standard"
+        }
+    }
+]
+}

tests/arm/checks/resource/test_AzureDefenderOnKubernetes.py

@@ -0,0 +1,41 @@
+import unittest
+import os
+from checkov.arm.checks.resource.AzureDefenderOnKubernetes import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestAzureDefenderOnKubernetes(unittest.TestCase):
+    def test_summary(self):
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+        # given
+        test_files_dir = current_dir + "/example_AzureDefenderOnKubernetes"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+        passing_resources = {
+            "Microsoft.Security/pricings.KubernetesService",
+            "Microsoft.Security/pricings.KeyVaults",
+            "Microsoft.Security/pricings.SqlServerVirtualMachines",
+        }
+        failing_resources = {
+            "Microsoft.Security/pricings.KubernetesService",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary['passed'], 3)
+        self.assertEqual(summary['failed'], 1)
+        self.assertEqual(summary['skipped'], 0)
+        self.assertEqual(summary['parsing_errors'], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()