Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE] - Implement Access Control probe #12

Open
lluuiissoo opened this issue Apr 26, 2021 · 2 comments
Open

[FEATURE] - Implement Access Control probe #12

lluuiissoo opened this issue Apr 26, 2021 · 2 comments
Assignees
@lluuiissoo

Comments

@lluuiissoo
Copy link
Contributor

Please write a rough BDD specification
[Replace sample below with actual BDD specification. See Gherkin syntax for reference: https://cucumber.io/docs/gherkin/reference]

Feature: Object Storage Can Only Be Accessed By Authorized Users

  As a Cloud Security Architect
  I want to ensure that suitable security controls are applied to Object Storage
  So that my organisation's data can only be accessed by authorized users

    Background:
      Given an Azure subscription is available
      And azure resource group specified in config exists

    Scenario: Prevent Object Storage from Being Created With Anonymous Access
      Then an attempt to create a storage account "without" anonymous access "succeeds"
      But an attempt to create a storage account "with" anonymous access "fails"

Who is the SME validating this scenario?
@iantivey

Please describe a proposed implementation for the above scenario

Scenario Step Implementation Plan
Then an attempt to create a storage account "without" anonymous access "succeeds" Attempt to create storage account without public access; Validate that it succeeds;
But an attempt to create a storage account "with" anonymous access "fails" Attempt to create storage account with public access; Validate that it fails;
@lluuiissoo lluuiissoo self-assigned this Apr 26, 2021
@iantivey
Copy link
Contributor

Looks good.

We could extend it like this:-

Scenario:
And an attempt to create a storage account "without" anonymous access "succeeds"
When the probr user is given appropriate RBAC role on the storage account
Then accessing the storage account anonymously fails
But accessing the storage account with the logged in probr user succeeds
Scenario Step Implementation Plan
the probr user is given appropriate RBAC role on the storage account Check if probr user has tbd RBAC role on the storage account (i.e. inherited from resource group). If not then add it to the storage account. This is more complicated that it sounds, so we should discuss how to do this.
accessing the storage account anonymously fails Try to LIST objects in the storage account without being logged into Azure
accessing the storage account with the logged in probr user succeeds Try to LIST objects in the storage account with the logged in probr user

@iantivey
Copy link
Contributor

In terms of the RBAC step above, it's likely there are custom roles set up for storage accounts. So the probr user will need to

  1. enumerate all of the RBAC role assignments on the storage account. In terms of coding, if you use an atScope() filter it gives you all inherited roles on that objects
  2. For each role assignment, get the role definition and look for a specific RBAC action (need to research which one).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lluuiissoo lluuiissoo

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@iantivey @lluuiissoo