我的环境的背景:我运行了一个自定义组织策略,将这些策略添加到我的azure devops ci / cd管道中。 接下来,我添加了资源组AzSKRG,并使用命令
Get-AzSKAzureServicesSecurityStatus向某些控件添加了证明状态,我发现没有必要使管道失败。但是最后一步,我遇到了一些问题
我正在尝试制作一些手册,并验证控件是否“通过”,以便我的开发团队可以在管道中完美无缺地运行此程序,我仅每90天(有效期)验证控件一次。 我拥有ATM的问题是我无法向这些controlID添加证明状态
Azure_APIManagement_AuthZ_Restrict_Caller_IPs Azure_APIManagement_DP_Restrict_Critical_APIs_Access Azure_KeyVault_AuthZ_Grant_Min_Access_policies Azure_APIManagement_DP_Use_Secure_TLS_Version Azure_APIManagement_DP_Dont_Reveal_Backend_Info Azure_APIManagement_AuthZ_Enable_Requires_Approval
对于密钥库,我不知道为什么我无法添加证明状态。这是我的powershell命令的输出
================================================================================
AzSK Version: 3.8.0
================================================================================
Method Name: Get-AzSKAzureServicesSecurityStatus (GRS)
Input Parameters:
Name Alias Value
---- ----- -----
SubscriptionId s xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
DoNotOpenOutputFolder dnof True
ResourceType rt Microsoft.KeyVault/vaults
ResourceGroupNames rgns xxxxxxxxxx
ControlIds cids Azure_KeyVault_AuthZ_Grant_Min_Access_policies
ControlsToAttest cta All
AttestationStatus as NotAnIssue
JustificationText jt Quarterly check
You can also use: grs -s xxxxxxxxxxxxxxxxx -dnof -rt Microsoft.KeyVault/vaults -rgns xxxxxxxx Azure_KeyVault_AuthZ_Grant_Min_Access_policies -cta All -as NotAnIssue -jt Quarterly check
================================================================================
Running AzSK cmdlet using security policy...
Number of resources: 1
Number of resources for which security controls will be evaluated: 1
================================================================================
Starting analysis: [FeatureName: KeyVault] [ResourceGroupName: xxxxxxxxx] [ResourceName: xxxxxxxxxx]
--------------------------------------------------------------------------------
Checking: [KeyVault]-[All Key Vault access policies must be defined with minimum required permissions to keys and secrets]
--------------------------------------------------------------------------------
Completed analysis: [FeatureName: KeyVault] [ResourceGroupName: xxxxxxxxxxxx] [ResourceName: xxxxxxxx]
================================================================================
Summary Total Verify
------- ----- ------
High 1 1
------ ------ ------
Total 1 1
------ ------ ------
================================================================================
** Next steps **
Look at the individual control evaluation status in the CSV file.
a) If the control has passed, no action is necessary.
b) If the control has failed, look at the control evaluation detail in the LOG file to understand why.
c) If the control status says 'Verify', it means that human judgement is required to determine the final control stat
us. Look at the control evaluation output in the LOG file to make a determination.
d) If the control status says 'Manual', it means that AzSK (currently) does not cover the control via automation OR A
zSK is not able to fetch the data. You need to manually implement/verify it.
Note: The 'Recommendation' column in the CSV file provides basic (generic) guidance that can help you fix a failed control. Y
ou can also use standard Azure product documentation. You should carefully consider the implications of making the required c
hange in the context of your application.
Control results may not reflect attestation if you do not have permissions to read attestation data from AzSKRG
--------------------------------------------------------------------------------
Status and detailed logs have been exported to path - C:\Users\xxxxxxxx\AppData\Local\Microsoft\AzSKLogs\xxxxxxxx\20181218_171945_GRS\
================================================================================
################################################################################
Starting Control Attestation workflow in bulk mode...
--------------------------------------------------------------------------------
Warning:
Please use utmost discretion when attesting controls. In particular, when choosing to not fix a failing control, you are taki
ng accountability that nothing will go wrong even though security is not correctly/fully configured.
Also, please ensure that you provide an apt justification for each attested control to capture the rationale behind your deci
sion.
Do you want to continue (Y/N): Y
--------------------------------------------------------------------------------
No. of candidate resources for the attestation: 1
================================================================================
Info: Starting attestation [1/1]- [FeatureName: KeyVault] [ResourceGroupName: xxxxxx] [ResourceName: xxxxxxxx]
--------------------------------------------------------------------------------
No. of controls that need to be attested: 1
--------------------------------------------------------------------------------
ControlId : Azure_KeyVault_AuthZ_Grant_Min_Access_policies
ControlSeverity : High
Description : All Key Vault access policies must be defined with minimum required permissions to keys and secrets
CurrentControlStatus : Verify
--------------------------------------------------------------------------------
Attestation summary for this resource:
ControlId EvaluatedResult EffectiveResult AttestationChoice
--------- --------------- --------------- -----------------
Azure_KeyVault_AuthZ_Grant_Min_Access_policies Verify Passed NotAnIssue
Committing the attestation details for this resource...
Commit succeeded.
--------------------------------------------------------------------------------
Completed attestation: [FeatureName: KeyVault] [ResourceGroupName: xxxxxxx] [ResourceName: xxxxxx]
```
至于api管理controlID,我已经查看了我的Powershell模块文件夹
C:\Program Files\WindowsPowerShell\Modules\AzSK\3.8.0\Framework\Configurations\SVT\Services
并在apimanagement.json中搜索控件ID
但是在json文件中找不到它,也许在powershell模块中这些控件不存在,而在azsk管道任务中却存在。
答案 0 :(得分:1)
只需升级到最新版本,然后再次运行scan命令。这应该可以解决您的问题。