Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

BRS for FrontDoor CDN #294

Open
wants to merge 32 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
32 commits
Select commit Hold shift + click to select a range
5e8927e
Files
Nov 30, 2022
b6b7ecd
Changes
Dec 6, 2022
59e55c6
Changes
Dec 13, 2022
e0eb276
Changes
Dec 14, 2022
b599c5c
changes
Dec 14, 2022
20c26e1
Changes
Dec 15, 2022
5b6bbdb
Changes
Dec 15, 2022
ed6e57e
Changes
Dec 16, 2022
680450a
Changes
Dec 16, 2022
20f9080
Changes
Dec 16, 2022
e372ebb
changes
Dec 16, 2022
48f5dea
changes
Dec 16, 2022
faec7a0
Changes
Dec 16, 2022
a31df0d
hihh
Dec 16, 2022
424c84e
changes
Dec 16, 2022
55948e1
Delete Remediate-EnableWAFPolicyForFrontDoorCDN.ps1
abhikash01 Dec 16, 2022
68f4030
Delete Remediate-ConfigureWAFPolicyForFrontDoorCDN.ps1
abhikash01 Dec 16, 2022
b13dd53
Changes
Dec 20, 2022
b84cf64
Merge branch 'users/abhishek/frontdoorcdnbrs' of https://github.com/a…
Dec 20, 2022
6402d14
Revert "Changes"
Dec 20, 2022
04b9a0f
Revert "Changes"
Dec 20, 2022
1597f95
rvert
Dec 20, 2022
f882c1e
Merge branch 'users/abhishek/frontdoorcdnbrs' of https://github.com/a…
Dec 20, 2022
c061b13
Revert "Merge branch 'users/abhishek/frontdoorcdnbrs' of https://gith…
Dec 20, 2022
2e9236f
Revert "Changes"
Dec 21, 2022
772bd17
Delete Remediate-EnableWAFPolicyForFrontDoorCDN.ps1
abhikash01 Dec 21, 2022
b525c9b
Changes
Dec 21, 2022
e485cca
Delete Remediate-ConfigureWAFPolicyForFrontDoorCDN.ps1
abhikash01 Dec 21, 2022
94d7d70
commit message
Dec 21, 2022
d8152e0
Merge branch 'users/abhishek/frontdoorcdnbrs' of https://github.com/a…
Dec 21, 2022
ce17bf8
Merge remote-tracking branch 'origin/main' into users/abhishek/frontd…
jaiswalricha Dec 22, 2022
a052c82
Remediated File added
jaiswalricha Dec 22, 2022
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
65 changes: 65 additions & 0 deletions Control coverage/Feature/CDN.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
<!-- TOC -->

- [Azure_CDN_DP_Enable_Https](#azure_cdn_dp_enable_https)
- [Azure_FrontDoor_CDNProfile_NetSec_Enable_WAF_Configuration](#azure_frontdoor_cdnprofile_netsec_enable_waf_configuration)

<!-- /TOC -->
<br/>
Expand Down Expand Up @@ -60,5 +61,69 @@ One of the following conditions is met:
/subscriptions/{subscriptionId}/resourceGroups/{resourcegroupName}/providers/Microsoft.Cdn/profiles/{profileName}/endpoints?api-version=2019-12-31<br />
**Properties:**
properties.isHttpAllowed, properties.isHttpsAllowed, properties.deliveryPolicy.rules

<br />

___


## Azure_FrontDoor_CDNProfile_NetSec_Enable_WAF_Configuration

### Display Name
Front Door should have Web Application Firewall configured

### Rationale
Azure Web Application Firewall (WAF) on Azure Front Door provides centralized protection for your web applications. WAF defends your web services against common exploits & vulnerablities. It keeps your service highly available for your users and helps you meet compliance requirements.

### Control Spec

> **Passed:**
> Web Application Firewall has been configured on Front Door CDN </br>
> and Configured WAF Policy mode must be Prevention only. </br>
> and Configured WAF Policy mode must be in Enabled State only. </br>
>
> **Failed:**
> WAF is not configured on Front Door CDN. </br>
> or Configured WAF Policy mode is not Prevention. </br>
> or Configured WAF Policy mode is not in Enabled State. </br>
>
> **Error:**
> There was an error fetching WAF Configuration details of Front Door CDN.
>
### Recommendation
- **Azure Portal**

Use the Azure portal to configure WAF Policy on the Front Door CDN.<br/>

- **Powershell**

Use following Powershell Bulk Remediation scripts to Configure WAF Policy on the Front Door CDN: <br/>
You can configure WAF Policy on Front Door using below BRS:<br/>
[Remediate-ConfigureWAFPolicyForFrontDoorCDN](../../Scripts/RemediationScripts/Remediate-ConfigureWAFPolicyForFrontDoorCDN.ps1) <br/>
You can enable State of WAF Policy configured on Front Door using below BRS: <br/>
[Remediate-EnableWAFPolicyForFrontDoorCDN](../../Scripts/RemediationScripts/Remediate-EnableWAFPolicyForFrontDoorCDN.ps1) <br/>
You can enable Prevention Mode on WAF Policy configured on Front Door using below BRS: <br/>
[Remediate-EnableWAFPolicyPreventionModeForFrontDoorCDN](../../Scripts/RemediationScripts/Remediate-EnableWAFPolicyPreventionModeForFrontDoorCDN.ps1) <br/>

### Azure Policy or ARM API used for evaluation

- ARM API to get Front Door resources in a subscription: /subscriptions/{0}/
/subscriptions/{0}/providers/Microsoft.Cdn/profiles?api-version=2021-06-01
**Properties:** [*]
<br />

- ARM API to get Front Door Endpoints resources in a subscription: /subscriptions/{0}/resourceGroups/{1}/providers/Microsoft.Cdn/profiles/{2}/afdEndpoints?api-version=2021-06-01<br />
**Properties:** [*].properties.hostname, [*].properties.enabledState,
<br />

- ARM API to get WAF Policies in a subscription: /subscriptions/{0}/resourceGroups/{1}/providers/Microsoft.Network/frontDoorWebApplicationFirewallPolicies?api-version=2020-11-01<br />
**Properties:** [*].properties.policySettings
<br />

- ARM API to get Security Policies in a subscription:
/subscriptions/{0}/resourceGroups/{1}/providers/Microsoft.Cdn/profiles/{2}/securityPolicies?api-version=2021-06-01<br />
**Properties:** [*].properties.parameters
<br />

___

2 changes: 2 additions & 0 deletions Control coverage/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,8 @@ Below resource types can be checked for validating the security controls:
|[VirtualMachineScaleSet](Feature/VirtualMachineScaleSet.md)|Microsoft.Compute/virtualMachineScaleSets|
|[VirtualNetwork](Feature/VirtualNetwork.md)|Microsoft.Network/virtualNetworks|



## Externally Scanned controls in Azure Tenant Security (AzTS)

There are certain controls that cannot be effectively evaluated by AzTS (due to various limitations for e.g. some controls requires VM instances to be in running state) for such controls AzTS will put verification result as 'ExtScanned'. And effective verification result of such controls should be determined based on external feeds later (if available).
Expand Down
27 changes: 26 additions & 1 deletion Scripts/RemediationScripts/Readme.md
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ Bulk remediation scripts (BRS) can be used to remediate non-compliant resources/
28. [Azure_Storage_DP_Use_Secure_TLS_Version_Trial](Readme.md#28-Azure_Storage_DP_Use_Secure_TLS_Version_Trial)
29. [Azure_ApplicationGateway_NetSec_Enable_WAF_Configuration](Readme.md#29-Azure_ApplicationGateway_NetSec_Enable_WAF_Configuration)
30. [Azure_LoadBalancer_NetSec_Restrict_Network_Traffic](Readme.md#30-Azure_LoadBalancer_NetSec_Restrict_Network_Traffic)
32. [Azure_FrontDoor_CDNProfile_NetSec_Enable_WAF_Configuration](Readme.md#32-Azure_FrontDoor_CDNProfile_NetSec_Enable_WAF_Configuration)



Expand Down Expand Up @@ -606,7 +607,6 @@ Yes
___



## 29. Azure_ApplicationGateway_NetSec_Enable_WAF_Configuration

### Display Name
Expand Down Expand Up @@ -651,6 +651,31 @@ Yes
___


## 32. Azure_FrontDoor_CDNProfile_NetSec_Enable_WAF_Configuration

### Display Name
WAF Policy should be configured on Endpoints in Front Door

### Link to Bulk Remediation Script (BRS)
You can Configure WAF Policy on Front Door CDN using below BRS: <br/>
[Remediate-ConfigureWAFPolicyForFrontDoorCDN](Remediate-ConfigureWAFPolicyForFrontDoorCDN.ps1) <br/>
You can enable State of WAF Policy configured on Front Door using below BRS: <br/>
[Remediate-EnableWAFPolicyForFrontDoorCDN](Remediate-EnableWAFPolicyForFrontDoorCDN.ps1) <br/>
abhikash01 marked this conversation as resolved.
Show resolved Hide resolved
You can enable Prevention Mode on WAF Policy configured on Front Door using below BRS: <br/>
[Remediate-EnableWAFPolicyPreventionModeForFrontDoorCDN](Remediate-EnableWAFPolicyPreventionModeForFrontDoorCDN.ps1) <br/>

### Minimum permissions required to run the script
Contributor role at resource level

### [Supports managed identity](Readme.md#supports-managed-identity-based-remediations) based remediation
Yes

### Supports rollback?
Yes


___


## Supports managed identity based remediations
Both System assigned and User assigned managed identities are supported.
Expand Down
Loading