Update your Azure Deployment for CIS Foundation Benchmarks
Alert Logic requires updates to your Azure deployments to comply with Microsoft Azure Center for Internet Security (CIS) Foundation Benchmarks, an established best practices baseline configuration guideline. The update furthers your security measures by allowing Alert Logic to perform CIS benchmark checks on your deployments that expose vulnerabilities.
For more information about Microsoft Azure CIS Benchmarks, see cisecurity.org/benchmark/azure.
When you configured your Azure deployments, you created an app registration, and then used an Azure role-based access control (RBAC) to create and assign a role to that app registration in your Azure resources. You must update the role document you used to create RBAC, and then update the new path to the role document. You must also grant certain permissions in your Azure resources to access Microsoft Graph and Key vaults. These procedures require administrative permission in the Azure portal.
These instructions do not apply in the following cases:
- You have previously configured RBAC and are using user credentials. For guidance on what you must update if you have user credentials, see Update your Azure Deployment with User Credentials for CIS Foundation Benchmarks.
- This is your first time configuring an RBAC in your Azure resources. For guidance on how to configure your Azure resources for RBAC, app registration, and CIS benchmark checks, see Configure App Registration and RBAC for Microsoft Azure Resources.
A remediation to update your Azure deployments was listed in your Remediations page in the Alert Logic console.
You can generate a CIS Foundation Benchmark report for Azure in the Alert Logic console. For more information, see CIS Microsoft Azure Foundation Benchmark.
To update your Azure resources for CIS Benchmark checks, you must:
- Update the role document
- Update your RBAC role document
- Grant permissions to access Microsoft Graph
- Grant permissions to access Key vaults
Update the role document
You must replace the previous JSON file you saved when you first created an RBAC role.
- Create a new text file and copy the Alert Logic role into it. Note the directory where you save the file. You must know the path and file name for later.
- Make the following changes to the file:
- In the "Name": "<Resource Explorer (Alert Logic)>", line, change the <Resource Explorer (Alert Logic)> entry to the name of your app registration.
- In the "/subscriptions/<subscription id>" line, change the <subscription id> value to the subscription ID found in the Azure portal, on the Subscriptions blade.
- Save the text file as a JSON file.
Update your RBAC role document
You must update the custom RBAC role with the new path to the role document.
- Open either Azure CLI 2.0 or Azure PowerShell, log in to your Azure account, and then specify the default subscription. Azure Azure CLI 2.0 commands
az login
az account set --subscription <your subscription id>
Azure Azure PowerShell commandsLogin-AzureRmAccount
Get-AzureRmSubscription –SubscriptionName [your subscription name] | Select-AzureRmSubscription
- Update the following line with the new path. Azure Azure CLI 2.0 commands
az role definition create --role-definition [path to the role document]
Azure Azure PowerShell commandsNew-AzureRmRoleDefinition -InputFile [path to the role document]
- In the Azure portal, under Subscriptions, select your subscription, and then click Access control (IAM).
- Click Roles to verify that the RBAC role you created appears in the portal.
If the role does not appear, refresh the list of roles.
Grant permissions to access Microsoft Graph
You must grant permissions to access Microsoft Graph in the Azure portal, which allows Alert Logic to perform CIS benchmark checks.
To grant permissions to access Microsoft Graph:
- Log in to the Azure portal, and then click Azure Active Directory.
- On the left panel, click App registrations, and then select your app registration.
- On the left panel, click API permissions, and then click + Add a permission.
- On the Request API permissions blade, click Microsoft Graph.
- Click Application permissions, and then in the list, select the following permissions:
- Click Application to see permissions in this category, and then select Application.Read.All.
- Click Group to see permissions in this category, and then select Group.Read.All.
- Click RoleManagement to see permissions in this category, and then select RoleManagement.Read.Directory.
- Click User to see permissions in this category, and then select User.Read.All.
- Click Add permissions, and then on the API permissions pane, click Grant admin consent.
- In the pop-up window, click Yes to allow the changes you made on the permissions.
Grant permissions to access Key vaults
The following is applicable only in cases where the Key Vault has its permission model configured as vault access policy. If a Key Vault is set to use Azure role-based access control, the steps below should be ignored.
You must grant certain permissions to access your key vaults, which allows Alert Logic to perform CIS benchmark checks. You must repeat these steps for each of your key vaults.
To grant permissions to access your key vault:
- In the Azure portal, click Key vaults.
- Select a key vault from the list, and then on the left panel, click Access policies.
- Click + Add Access Policy.
- In the Key permissions field, select Get and List.
- In the Secret permissions field, select Get and List.
- Click Select principal, and then from the list, select the app registration you created.
- Click Add.
Repeat these steps for each key vault in the list.