漏洞描述
Ensure that your Microsoft Azure virtual machines (VMs) have system-assigned managed identities enabled in order to allow secure virtual machine access to Azure resources such as key vaults and storage accounts.
azure-vm-managed-identity-unassigned: Azure VM Managed Identity Not Assigned
PoC代码[已公开]
id: azure-vm-managed-identity-unassigned
info:
name: Azure VM Managed Identity Not Assigned
author: princechaddha
severity: medium
description: |
Ensure that your Microsoft Azure virtual machines (VMs) have system-assigned managed identities enabled in order to allow secure virtual machine access to Azure resources such as key vaults and storage accounts.
impact: |
VMs without system-assigned managed identities may have inadequate security configurations, increasing the risk of unauthorized access to Azure resources.
remediation: |
Enable system-assigned managed identities on all Azure VMs to ensure secure access to other Azure services.
reference:
- https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
tags: cloud,devops,azure,microsoft,vm,azure-cloud-config
flow: |
code(1);
for (let VMData of iterate(template.vmList)) {
VMData = JSON.parse(VMData);
set("ids", VMData.id);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az vm list --query '[*].{"id":id}'
extractors:
- type: json
name: vmList
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az vm show --ids "$ids" --query '{"IdentityConfig": identity}'
matchers-condition: and
matchers:
- type: word
words:
- '"IdentityConfig": null'
extractors:
- type: dsl
dsl:
- 'ids + " does not have a system-assigned managed identity enabled"'
# digest: 490a0046304402206cf13972d1b593fa49201ffeec556d2bbb0100d7a95324a8a7c2ea57a2197218022065dc0cd8afc9d336adedefa0108d79aa1e7df89e78cb6725273ddf1ab248701f:922c64590222798bb761d5b6d8e72950