Skip to content
VigilGuard Logo VigilGuard
Contact Us
EASM Platform VendorGuard ITRM Platform

Azure Security

Azure Security

Section titled “Azure Security”

5 automated security scanners

Azure Network Security

Section titled “Azure Network Security”

Purpose: The Azure Network Security Scanner is designed to identify publicly exposed Azure network configurations that may pose a risk to internal services. It focuses on detecting misconfigured Network Security Group (NSG) rules, exposing virtual machines and public IPs, leaking network topology information, and improper load balancer settings.

What It Detects:

  • Leaked NSG Rules: The scanner searches for Terraform (.tf), ARM templates, or Bicep files defining NSG rules that allow unrestricted access from any source on sensitive ports like 22 (SSH), 3389 (RDP), 1433 (SQL Server), and 3306 (MySQL).
  • Exposed VM Instances & Public IPs: It uses search engines to find public IP addresses and DNS names associated with the Azure subscription ID, potentially exposing internal services.
  • Load Balancer Weaknesses: The scanner identifies misconfigurations in public Application Gateways or Load Balancers, such as weak TLS protocols or missing HTTPS redirection rules.

Inputs Required:

  • domain (string): The primary domain associated with the subscription for context.
  • azure_subscription_id (string): The Azure Subscription ID to analyze (e.g., 12345678-1234-1234-1234-123456789abc).

Business Impact: Misconfigurations in Azure network settings can lead to unauthorized access, data breaches, and service disruptions. It is crucial to identify and mitigate such risks to maintain a secure cloud environment.

Risk Levels:

  • Critical: Risk level is critical if any NSG rule allowing unrestricted public access on sensitive ports is found or if there are multiple exposures detected.
  • High: Risk level is high if the total number of network exposures exceeds two, indicating significant risk.
  • Medium: Risk level is medium if there is at least one exposure but fewer than three overall exposures.
  • Low: Risk level is low if no public network exposures are found.
  • Info: This category would be used for informational findings that do not directly indicate a vulnerability, such as the presence of NSG rules allowing access from specific sources or ports without being unrestricted.

Example Findings:

  • A leaked NSG rule allows inbound traffic on port 3306 (MySQL) from any source, which could expose internal MySQL databases to unauthorized access.
  • An Application Gateway is configured with TLS version 1.2, which is not the most secure configuration for modern security standards.

Azure Data Protection

Section titled “Azure Data Protection”

Purpose: The Azure Data Protection Scanner is a tool designed to identify publicly exposed Azure data stores such as Blob Storage containers and SQL databases. It searches for unintentional data leaks in public code repositories associated with an Azure subscription, aiming to prevent major security breaches caused by misconfigurations in Azure.

What It Detects:

  • Public Blob Storage Exposure: The scanner identifies publicly accessible Blob Storage containers via search engine dorking and flags URLs pointing directly to blob.core.windows.net associated with the subscription. It also identifies containers with common naming conventions that might indicate insecure access policies.

  • Data Leaks in Code Repositories: The scanner searches GitHub for common data file extensions (.csv, .sql, .json, .bak) committed alongside the subscription ID. It looks for keywords like database, export, backup, connection string in code, potentially flagging leaks of Personally Identifiable Information (PII) or other sensitive information.

  • Storage Account Key Exposure: The scanner searches for leaked Azure storage account keys and connection strings, which could provide full access to all data within the storage account.

  • Public SQL Database Exposure: The scanner scans for public documentation or mentions of Azure SQL databases linked to the subscription, detecting potential weak firewall rules that might expose massive amounts of structured data.

Inputs Required:

  • domain (string): The primary domain associated with the subscription (e.g., contoso.com).
  • azure_subscription_id (string): The Azure Subscription ID to analyze (e.g., 12345678-1234-1234-1234-123456789abc).

Business Impact: Publicly exposed data is a primary cause of major security breaches. Misconfigurations in Azure can lead to significant risks, including the exposure of sensitive files, backups, or application data via public Blob Storage containers, accidental exposure of massive amounts of structured data through publicly accessible SQL databases, and leaks of PII or other sensitive information in public code repositories.

Risk Levels:

  • Critical: If more than 5 exposures are found, the risk level is critical.
  • High: If between 1 and 5 exposures are found, the risk level is high.
  • Medium: If exactly 1 exposure is found, the risk level is medium.
  • Low: If no exposures are found, the risk level is low.
  • Info: This category would typically be used for informational findings that do not directly impact security but might indicate areas for improvement or verification.

Example Findings:

  1. A publicly accessible Blob Storage container named contosoprod-backups contains sensitive company data.
  2. Potential Azure storage account key leaks in public code repositories, potentially compromising multiple storage accounts.

Azure Service Specific Security

Section titled “Azure Service Specific Security”

Purpose: The Azure Service-Specific Security Scanner is designed to identify public exposure and misconfigurations in specific Azure services such as Azure Kubernetes Service (AKS), Azure Functions, and Azure Container Instances. It aims to uncover leaked deployment manifests, exposed managed identity bindings, and hardcoded secrets that could lead to unauthorized access or data breaches.

What It Detects:

  • AKS Misconfigurations: The scanner searches for deployment.yaml, pod.yaml, and Dockerfile files associated with the Azure subscription ID on GitHub repositories, looking for misconfigurations such as publicly exposed container images, environment variables, and managed identity names.
  • Azure Functions Insecurity: It scans for source code files related to Azure Functions that are publicly accessible, potentially exposing business logic and embedded credentials.
  • Container Instances Vulnerabilities: The scanner detects public references to container images or configurations in Azure Container Instances, which could be exploited for application-level vulnerabilities.
  • Managed Identity Misuse: It identifies leaked configurations showing managed identity assignments that might provide paths for privilege escalation.

Inputs Required:

  • domain (string): Primary domain for context (e.g., contoso.com)
  • azure_subscription_id (string): The Azure Subscription ID to analyze (e.g., 12345678-1234-1234-1234-123456789abc)

Business Impact: This scanner is crucial for organizations managing sensitive data and infrastructure on Azure platforms, as misconfigurations in these services can lead to significant security breaches. Properly identifying and mitigating such risks is essential for maintaining a secure cloud environment.

Risk Levels:

  • Critical: Severe exposure of critical configurations or secrets that could directly impact business operations and security.
  • High: High-risk exposures that require immediate attention to prevent potential data theft or system compromise.
  • Medium: Medium-severity risks that should be addressed but may have lower urgency compared to high-risk issues.
  • Low: Informal findings that do not pose significant threats but are still recommended for improvement in security practices.

Example Findings:

  1. A publicly accessible deployment.yaml file on GitHub exposes the Azure subscription ID and contains sensitive environment variables, posing a critical risk to data security.
  2. An unsecured Azure Function hosted on a public repository could be exploited by unauthorized users to access stored financial information, resulting in a high-risk exposure.

Azure RBAC Security

Section titled “Azure RBAC Security”

Purpose: The Azure RBAC Security Scanner is designed to analyze and assess the security posture of Azure Role-Based Access Control (RBAC) configurations. It aims to identify potential risks such as publicly exposed service principal credentials, overly permissive role assignments, privilege escalation paths, and RBAC misconfigurations that could lead to unauthorized access or subscription compromise.

What It Detects:

  • Public Credential Exposure: The scanner searches for leaked Azure service principal credentials on platforms like GitHub and Pastebin. It also checks public code repositories for patterns indicative of Azure client secrets, certificates, and connection strings.
  • RBAC Policy Analysis: It detects the usage of overly permissive built-in roles (Owner, Contributor) in configurations that violate least privilege principles. Additionally, it identifies potential privilege escalation paths through misconfigurations like Microsoft.Authorization/roleAssignments/write.
  • Credential Hygiene: The scanner evaluates the hygiene of service principal secrets by assessing their usage and rotation history from public commit logs. It also flags hardcoded tenant IDs and subscription IDs that could be a risk if not managed properly.

Inputs Required:

  • domain (string): A primary domain for context, such as contoso.com.
  • azure_subscription_id (string): The specific Azure Subscription ID to analyze, e.g., 12345678-1234-1234-1234-123456789abc.

Business Impact: Azure RBAC misconfigurations pose significant risks as they can lead to unauthorized access and potential subscription compromise. Overly permissive roles can grant excessive access, violating least privilege principles, while leaked service principal credentials provide direct, often unaudited access to Azure resources. These issues are critical for maintaining the security and integrity of an organization’s cloud infrastructure.

Risk Levels:

  • Critical: This severity level is triggered when there are multiple public exposures or highly sensitive information is found in configurations. It indicates a severe risk that could lead to immediate unauthorized access.
  • High: Applies when there are significant risks identified, such as the use of overly permissive roles or exposure of critical credentials. This suggests a high likelihood of compromise if not addressed promptly.
  • Medium: Indicates medium severity findings where some sensitive information is exposed but does not pose an immediate threat. These should be prioritized for remediation based on other risk factors and business impact.
  • Low: Used for informational purposes, indicating minimal exposure or configuration issues that are unlikely to lead to significant security risks.

Example Findings:

  • A public repository contains environment variables with Azure client secrets which could be used by unauthorized parties to access the subscription resources.
  • An overly permissive role assignment (Owner) in a Terraform script allows full control over all resources, posing a high risk of unauthorized modification or deletion.

Azure Logging Monitoring

Section titled “Azure Logging Monitoring”

Purpose: The Azure Logging & Monitoring Scanner is designed to identify publicly exposed logging and monitoring infrastructure within an Azure environment. This includes identifying public Azure Monitor workbooks, Log Analytics workspaces, Application Insights portals, as well as searching for leaked configuration files that might reveal internal monitoring architecture, potential security gaps, or sensitive operational data.

What It Detects:

  • Exposed Monitoring Dashboards: The scanner uses search engine dorking to find public Azure Monitor workbooks and Log Analytics workspaces associated with a domain, checking if they are accessible without proper authentication.
  • Public Log Destinations: It searches for public Azure Storage accounts configured as log destinations and looks for code or documentation that references log forwarding endpoints or Event Hub namespaces used for log streaming.
  • Leaked Monitoring Configurations: The scanner scans GitHub repositories for monitoring-as-code files (Terraform, Bicep, JSON ARM templates) associated with the subscription ID or domain, looking for keywords related to Azure Monitor diagnostics settings and Application Insights.
  • Instrumentation Key Exposure: It searches for leaked Application Insights instrumentation keys in public repositories.

Inputs Required:

  • domain (string): The primary domain for dashboard searches (e.g., “contoso.com”).
  • azure_subscription_id (string): The Azure Subscription ID to analyze (e.g., 12345678-1234-1234-1234-123456789abc).

Business Impact: While essential for security, logging and monitoring systems can become a major risk if exposed, potentially providing attackers with detailed infrastructure maps, application performance metrics, user activity, and directly to aggregated, sensitive log data. This could lead to highly targeted attacks and significant data breaches.

Risk Levels:

  • Critical: If the scanner identifies more than 3 exposures of any type (dashboards, leaked configurations, or instrumentation keys), it marks the risk level as “critical.”
  • High: If the scanner identifies between 1 and 3 exposures, it marks the risk level as “high.”
  • Medium: If the scanner identifies one exposure but no critical issues are found, it marks the risk level as “medium.”
  • Low: If no public exposures of logging or monitoring infrastructure are found, the risk level is marked as “low.”
  • Info: This category would be used for informational findings that do not directly impact security but could still indicate potential areas for improvement.

Example Findings:

  1. A publicly accessible Azure Monitor workbook reveals detailed application performance metrics and user activity.
  2. Leaked Application Insights instrumentation key in a public GitHub repository exposes sensitive user data to unauthorized parties.