Top 10 Azure Cloud Configuration Mistakes

December 9, 2021 TH Author Trend Micro DevOps : Article, Trend Micro DevOps : Azure, Trend Micro DevOps : Cloud Native, Trend Micro DevOps : Compliance, Trend Micro DevOps : Conformity, Trend Micro DevOps : Expert Perspective

Top misconfigured rules for Azure services

Let’s look at three top misconfigured services for Azure and the Conformity rule for that service with the highest misconfiguration rate.

Service: Azure Activity Log
Rule(s): “Create alert for ‘delete PostgreSQL database’ events” and “create alert for ‘create/update PostgreSQL database’ events”

The top misconfigured rules for Azure Activity Log are related to PostgreSQL, a fully managed database-as-a-service platform. “Create alert for ‘delete PostgreSQL database’ events” and “create alert for ‘create/update PostgreSQL database’ events” both have a high misconfiguration rate of 99.10%.

When improperly configured, PostgreSQL databases can be abused for cryptocurrency mining, as the PGMiner botnet operation discovered in 2020. It’s essential for users to regularly check the Azure Activity Log, as it provides data that pertains to configuration changes. Accurately collecting and analyzing Azure Activity Log data can enable users to keep an eye out for potentially malicious activity across their systems.

Service: Azure Virtual Machines (VM)
Rule(s): “Install approved extensions only” and “enable automatic OS upgrades”

With a misconfiguration rate of 100%, “install approved extensions only” and “enable automatic OS upgrades” are (unsurprisingly) the top misconfigured rules for Azure VM. When vulnerable extensions are used in Azure environments, it can lead to elevation of privilege and remote execution attacks. Recently, malicious actors abused the Azure OMIGOD vulnerabilities in the Open Management Infrastructure (OMI) framework used by several Azure VM management extensions. Microsoft has since issued extension updates for these vulnerable extensions.

How can organizations prevent misconfigurations in the cloud?

For organizations looking to prioritize digital transformation, all roads lead to cloud adoption. And while CSPs generally do a good job at securing the infrastructure of the cloud services they offer, users must understand it’s their responsible to correctly configure the services.

Here are some security recommendations for keeping misconfigurations and threats at bay:

Principle of least privilege: Only give users the necessary access or permission (such as admin or root privilege) that they need to operate. If a user with admin access becomes compromised, a malicious actor can go on to compromise the entire network. By limiting the number of people with admin and root privileges, the risk of compromise effectively becomes lower.
Adhere to the shared responsibility model: When users understand the operational tasks that they’re responsible for (such as monitoring, upkeep, a patching), the risk of misconfigurations occurring is minimized. Azure provides guidance explaining the shared responsibility model to their users.
Educating and training team members: It’s vital for team members to understand their responsibilities regarding security. From identifying unsecure practices to promptly reporting security issues, everyone should be educated and trained on which threats and misconfigurations to watch out for.
Creating and implementing security policies, standards, and procedures: Policies pertaining to the use of open-source components, remote access, password creation and management, encryption and decryption, and database management should be created and strictly enforced.

Next steps

Knowing which Azure services are commonly misconfigured enables DevSecOps teams to customize automated Conformity scans, ensuring they’re continually checking for misconfigurations on Azure services in their infrastructure. This helps prove compliance and governance without tedious manual tasks, allowing developers to build securely with little interruptions.

Conformity is one of 7 solutions comprising the Trend Micro Cloud One™ security services platform for organizations building in the cloud. It delivers flexible and scalable all-in-one security that helps DevOps and security engineers securely build and innovate as they migrate to and build in the cloud.

Looking to audit your environment to see how you hold up? Sign up for a free, 30-day Trend Micro Cloud One trial today.

You May Also Like

How to scan and encrypt objects in S3 buckets Product Manager, File Storage Security

What Can Generative AI do for Hybrid Cloud Security?

Prioritize Security Controls for Critical AWS Assets Cloud Advocate