|   Trend Micro Cloud One™
Open menu

Check for Azure Security Center Recommendations

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Risk level: (depending on recommendation's severity)
Rule ID: SecurityCenter-020

Ensure that all Microsoft Azure Security Center recommendations generated for your Azure cloud account are examined and implemented in order to follow security best practices and meet regulatory compliance and standards. Security Center is a cloud security management service that helps you prevent, detect, and respond to threats with increased visibility and control over the security of your Microsoft Azure resources. The service periodically analyzes the security state of your cloud resources and when it identifies potential security vulnerabilities, it creates recommendations. These recommendations (also known as security tasks) are guided actions that you can take in order to secure the impacted resources.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

When Microsoft Azure Security Center identifies potential security issues and vulnerabilities, it creates recommendations that guide you through the process of configuring the needed controls to harden and protect your Azure resources.

Note: As example, this conformity rule demonstrates how to analyze and implement a Security Center recommendation that propose designating more than one owner to your Microsoft Azure subscriptions in order to have administrator access redundancy.

Audit

To check for Security Center recommendations within your Azure cloud account, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Portal.

02 Navigate to Azure Security Center blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade.

03 In the left navigation panel, click Overview, select Subscriptions, and choose the Azure subscription that you want to examine from the Default subscription filter dropdown menu.

04 In the navigation panel, under RESOURCE SECURITY HYGIENE, select Recommendations to access the list with the security recommendations generated for the selected subscription.

05 On the Recommendations page, switch off Group by controls setting to disable grouping, and click on the active recommendation that you want to examine.

06 Analyze the selected Azure Security Center recommendation by verifying the following attributes:

  1. Description – an explicit description of the security issue found.
  2. General Information – describes the level of user impact after implementing the suggested remediation steps and the level of the implementation effort for the recommended remediation process.
  3. Remediation steps – step-by-step instructions on how to implement the selected Azure Security Center recommendation in order to fix the issue.
  4. Affected resources – the identifier(s) of the impacted Azure cloud resource(s).

07 Follow the instructions outlined at the previous step, in the Remediation steps section, to implement the recommended fix (see Remediation/Resolution section).

08 Repeat steps no. 5 – 7 for each security recommendation identified within the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created within your Microsoft Azure cloud account.

Using Azure CLI and PowerShell

01 Run account list command (Windows/macOS/Linux) using custom query filters to list the identifiers (IDs) of all the cloud subscriptions available in your Azure cloud account:

az account list
	--query '[*].id'

02 The command output should return the requested Azure subscription IDs:

[
  "abcdabcd-1234-abcd-1234-abcdabcdabcd",
  "abcd1234-1234-abcd-1234-abcd1234abcd"
]

03 Run security task list command (Windows/macOS/Linux) using the ID of the Azure cloud subscription that you want to examine as identifier parameter and custom output filters, to list the name of each security task (recommendation) generated for the selected subscription:

az security task list
	--subscription "abcdabcd-1234-abcd-1234-abcdabcdabcd"
	--query '[*].name'

04 The command output should return the requested recommendation name(s):

[
  "abcd1234-abcd-1234-abcd-abcd1234abcd",
  "12341234-abcd-1234-abcd-123412341234",
  "abcd1234-1234-abcd-1234-abcd1234abcd"
]

05 Run security task show command (Windows/macOS/Linux) using the name of the Azure Security Center recommendation that you want to examine as identifier parameter, to describe the selected security task (recommendation) details:

az security task show
	--name "abcd1234-abcd-1234-abcd-abcd1234abcd"

06 The command output should return the requested information (JSON format):

{
  "creationTimeUtc": "2020-06-02T15:32:18.602725+00:00",
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups//providers/Microsoft.Security/locations/centralus/tasks/abcd1234-1234-abcd-1234-abcd1234abcd",
  "lastStateChangeTimeUtc": "2020-06-02T15:32:18.602725+00:00",
  "name": "abcd1234-abcd-abcd-abcd-abcd1234abcd",
  "resourceGroup": "",
  "securityTaskParameters": {
    "assessmentKey": "abcd1234-1234-abcd-1234-abcd1234abcd",
    "category": "IdentityAndAccess",
    "details": [],
    "name": "GenericSecurityTask",
    "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abcd1234-1234-abcd-1234-abcd1234abcd",
    "policyName": "There should be more than one owner assigned to your subscription",
    "resourceId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd",
    "resourceType": "Subscription",
    "severity": "High",
    "uniqueKey": "/subscriptions/abcd1234-1234-abcd-1234-abcd1234abcd_abcd1234-1234-abcd-1234-abcd1234abcd"
  },
  "state": "Active",
  "subState": "NA",
  "type": "Microsoft.Security/locations/centralus/tasks"
}

07 Analyze the information returned at the previous step by checking the following attributes:

  1. "state" – the status of the selected security recommendation (e.g. active).
  2. "securityTaskParameters.name" – the generic name of the security task (i.e. recommendation).
  3. "securityTaskParameters.policyName" – the name of the selected Security Center recommendation policy which is also a concise description of the security issue identified.
  4. "securityTaskParameters.severity" – the severity level of the selected security task.
  5. "securityTaskParameters.resourceType" – the type of the impacted Azure cloud resource.
  6. "securityTaskParameters.resourceId" – the ID of the impacted cloud resource.

08 Based on the information found at the previous steps, follow the instructions outlined in the Remediation/Resolution section to implement the recommended security fix.

09 Repeat step no. 5 – 8 for each security recommendation available within the selected Azure subscription.

10 Repeat steps no. 3 – 9 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To put the specified Azure Security Center recommendation into action (i.e. assign co-owners to your cloud subscriptions to provide administrator access redundancy at the subscription level), perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Portal as an account owner.

02 Navigate to Subscriptions blade at https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade.

03 Click on the name of the Azure subscription that you want to access.

04 In the navigation panel, choose Access control (IAM), then select Role assignments to access the list with the role assignments available for the selected subscription.

05 On the Role assignments page, click Add and Add role assignment to open the Add role assignment configuration panel.

06 On the Add role assignment panel, perform the following commands:

  1. From the Role dropdown list, select Owner. The Owner role gives the specified user full administrator access to all Azure resources available in the subscription, including the permission to grant access to others.
  2. From Assign access to dropdown list, select Azure AD user, group, or service principal option as the type of security principal to assign the role to.
  3. From the Select list, choose the user that you want to assign the selected role to. If you cannot find the principal in the list, use the Select search box to search the directory for display names or email addresses.
  4. Click Save to assign the selected role. Once the role assignment is done, the selected Microsoft Azure account subscription will have 2 active subscription owners.

07 Repeat steps no. 3 – 6 to implement the specified Security Center recommendation for other subscriptions available in your Microsoft Azure cloud account.

Using Azure CLI and PowerShell

01 Run role assignment create command (Windows/macOS/Linux) using the ID of the Azure cloud subscription that you want to reconfigure as identifier parameter (see Audit section part I to identify the appropriate subscription), to create a new Owner role assignment for an Azure user with the name "azowner_trendmicro@azotrendmicro.onmicrosoft.com", at the selected subscription level. Once the role assignment is done, the selected cloud account subscription will have two active subscription owners:

az role assignment create
	--role "Owner"
	--assignee azowner_trendmicro@azotrendmicro.onmicrosoft.com
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

02 The command output should return the new role assignment metadata:

{
  "canDelegate": null,
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/providers/Microsoft.Authorization/roleAssignments/1234abcd-1234-abcd-1234-abcd1234abcd",
  "name": "1234abcd-1234-abcd-1234-abcd1234abcd",
  "principalId": "1234abcd-abcd-abcd-abcd-abcd1234abcd",
  "principalType": "User",
  "roleDefinitionId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/providers/Microsoft.Authorization/roleDefinitions/1234abcd-abcd-abcd-abcd-abcd1234abcd",
  "scope": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd",
  "type": "Microsoft.Authorization/roleAssignments"
}

03 Repeat step no. 1 and 2 to implement the selected Security Center recommendation for other subscriptions created within your Microsoft Azure cloud account.

References

Publication date Jul 29, 2020

Unlock the Remediation Steps

Gain free unlimited access to our full Knowledge Base


Over 600 rules & best practices for and

Get started for FREE

A verification email will be sent to this address
We keep your information private. Learn more.

Thank you!

Please click the link in the confirmation email sent to

You are auditing:

Check for Azure Security Center Recommendations

Risk level: