When managing cloud resources at scale, declarative frameworks help consolidate scripts, improve resource visibility, and control access. Azure Resource Manager (ARM) is the built-in service for teams looking to more efficiently manage and deploy Azure resources at scale. Another benefit of utilizing declarative templates such as ARM is that they provide an opportunity to implement security controls earlier, eradicating the need to find and remediate misconfigurations down the line in production.
To help teams automate that process, Bridgecrew now supports ARM template misconfiguration scanning in addition to monitoring of deployed Azure resources.
Getting started with Bridgecrew for ARM templates
Bridgecrew is designed to find both cloud misconfigurations in run-time and to prevent them in build-time. The simplest way to integrate ARM template scanning is by connecting a code repository. Bridgecrew supports GitHub (Cloud & Enterprise) as well as Bitbucket and GitLab. Create a new account on Bridgecrew to get started. After you successfully log in, go to integrations and select your source control provider, authorize the Bridgecrew app, and select which repositories you’d like to cover.
From that point, Bridgecrew will automatically identify any infrastructure-as-code template files and analyze them using built-in security and compliance policies.
To get end-to-end coverage for your Azure cloud managed with ARM templates, we recommend connecting Bridgecrew with both your Microsoft Azure environment and your ARM templates. Connecting Bridgecrew to an Azure subscription enables Bridgecrew to read configurations from Azure Resource Manager and identify misconfigurations.
You can also include a Bridgecrew ARM template scan as part of a build job or run it locally on a Windows workstation. For that, you’ll need to get an API Token. It’s located in the Integration tab under the Continuous Integration category. Simply Copy the API Token and you are ready to go.
Installing Bridgecrew CLI
Let’s start by walking you through using Bridgecrew CLI to scan an ARM template to identify security configuration issues within the code. In the Microsoft Azure spirit, this blog uses Bridgecrew on Windows, but it can easily be adapted to a Linux or Mac setup.
There are two approaches to using Bridgecrew on Windows: Python or Docker.
If you’re using Python, take the following steps:
Install Bridgecrew CLI:
pip install bridgecrew
Now install a helper script in your path for Bridgecrew CLI to run:
For my deployment I used the below directory in my path to install:
cd C:\Users\<my_username>\AppData\Local\Microsoft\WindowsApps curl -o bridgecrew.cmd https://raw.githubusercontent.com/bridgecrewio/bridgecrew/master/bin/bridgecrew.cmd
Verify that Bridgecrew CLI runs:
This should return a version (1.0.458 at the time of writing).
If you’re using Docker, take the following steps:
Download Bridgecrew docker and verify it runs:
docker pull bridgecrew/bridgecrew docker run -it bridgecrew/bridgecrew -v
This should return a version (1.0.458 at the time of writing).
Identifying misconfigurations in ARM templates
Now that we have Bridgecrew CLI installed, we’ll walk through using it to scan an ARM template. For the remainder of this tutorial, I’ll use Bridgecrew directly in Python. However, if using the docker approach, just replace “bridgecrew” in the command with “docker run -it bridgecrew/bridgecrew” and use the same flags after the command.
First, look at all the checks provided for ARM templates today. We have an initial 42 checks, but this number will grow as we continue to add additional coverage.
bridgecrew -l --framework arm
Next, get an ARM template to scan. We will use a WordPress example from the Azure quickstart templates:
git clone https://github.com/Azure/azure-quickstart-templates.git cd azure-quickstart-templates\wordpress-mysql-replication
bridgecrew -d . --bc-api-key <key> --repo-id <repo_id> --branch
If using Docker, that command with volume mount of the local directory is:
docker run -t -v %cd%:/arm bridgecrew/bridgecrew -d --bc-api-key <key> --repo-id <repo_id> --branch /arm
Look through the results for the various security misconfigurations that were identified:
_ _ __ _ __ / /_ _____(_)___/ /___ ____ _____________ _ __ / __ \/ ___/ / __ / __ `/ _ \/ ___/ ___/ _ \ | /| / / / /_/ / / / / /_/ / /_/ / __/ /__/ / / __/ |/ |/ / /_.___/_/ /_/\__,_/\__, /\___/\___/_/ \___/|__/|__/ /____/ by bridgecrew.io | version: 1.0.455 arm scan results: Passed checks: 0, Failed checks: 6, Skipped checks: 0 Check: CKV_AZURE_15: "Ensure web app is using the latest version of TLS encryption" FAILED for resource: Microsoft.Web/sites.[parameters('siteName')] Guide: https://docs.bridgecrew.io/docs/bc_azr_networking_6 File: /nested/website.json:70-128 ...
Bridgecrew then identifies all passing and failing resources, including the file and lines of the template that need fixing. This allows you to catch issues before deploying a template into your environment.
As with other infrastructure as code tools we support such as Terraform and CloudFormation, Bridgecrew allows you to suppress a failed check in an ARM template. Instead of using inline comments in JSON, we utilize metadata in the template. Resource Manager ignores the metadata object and this ensures that there is no issue with JSON reading the comments with other tools.
For this example, we are going to skip the minimum TLS version check shown above. This would be useful if our application still needed to support legacy clients.
Using a text editor, open the file indicated by Bridgecrew CLI. In this case, nested/website.json. Go to the lines indicated in the check (70-128) and add a metadata suppression including your justification as shown below:
Now rerun the check against this file and you will see that the resource is suppressed.
It is worth noting that if you need to suppress multiple checks for a resource you can use an array for that as shown below:
Automating ARM template scanning
To ensure that your ARM templates aren’t misconfigured before deployment, it’s best practice to integrate Bridgecrew with your code review processes. With Bridgecrew’s source control and CI/CD integrations, you can get continuous scanning and automated remediation of misconfigurations. You can run Bridgecrew CLI as a GitHub Action, a CircleCI orb, or a Jenkins job.
Then, when your scans run, the results will be reported back in the Bridgecrew platform where misconfigurations are tracked, grouped by category, and prioritized with all context inline. To save time manually implementing fixes, Bridgecrew also enables teams to open pull requests containing all the necessary code.
In our goal to provide more preventative cloud governance, we’re thrilled to take our platform a step beyond what traditional cloud security solutions offer when it comes to Azure security. Bridgecrew prevents ARM security issues from being deployed in the first place and automates the remediation of misconfigurations at the source to keep them from resurfacing down the road.
To get started with Bridgecrew and take your Azure security to the next level, sign up for a free account.