πΌ Management Samenvatting
Deze security control waarborgt de correcte configuratie en beschermt tegen beveiligingsrisico's.
Aanbeveling
IMPLEMENTEER MANAGED IDENTITIES
Risico zonder
High
Risk Score
7/10
Implementatie
3u (tech: 2u)
Van toepassing op:
β Azure VMs
Deze instelling is essentieel voor het handhaven van een veilige omgeving en voorkomt bekende aanvalsvectoren door het afdwingen van security best practices.
PowerShell Modules Vereist
Primary API: Azure API
Connection:
Required Modules: Az.Accounts, Az.Compute
Connection:
Connect-AzAccountRequired Modules: Az.Accounts, Az.Compute
Implementatie
Dit control past de benodigde beveiligingsinstellingen toe via Microsoft Intune of Azure beleid om systemen te beschermen volgens actuele security frameworks zoals CIS Benchmarks, BIO en ISO 27001.
Vereisten
Azure VMs
Monitoring
Gebruik PowerShell-script vm-managed-identities-enabled.ps1 (functie Invoke-Monitoring) β Controleren.
Check Identity property op VMs.
Compliance en Auditing
- BIO 09.04
- ISO 27001:2022 A.8.3
Remediatie
Gebruik PowerShell-script vm-managed-identities-enabled.ps1 (functie Invoke-Remediation) β Herstellen.
Compliance & Frameworks
- BIO: 09.04 - credential management
- ISO 27001:2022: A.8.3 - Information handling
Automation
Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).
PowerShell
<#
================================================================================
AZURE POWERSHELL SCRIPT - Nederlandse Baseline voor Veilige Cloud
================================================================================
.SYNOPSIS
VM Managed Identities Enabled
.DESCRIPTION
CIS Azure Foundations Benchmark - Control 7.7
Controleert of Managed Identities zijn ingeschakeld op VMs.
.NOTES
Filename: vm-managed-identities-enabled.ps1
Author: Nederlandse Baseline voor Veilige Cloud
Version: 1.0
CIS Control: 7.7
#>
#Requires -Version 5.1
#Requires -Modules Az.Accounts, Az.Compute
[CmdletBinding()]
param([Parameter()][switch]$Monitoring)
$ErrorActionPreference = 'Stop'
$PolicyName = "VM Managed Identities Enabled"
function Connect-RequiredServices { if (-not (Get-AzContext)) { Connect-AzAccount | Out-Null } }
function Test-Compliance {
$vms = Get-AzVM -ErrorAction SilentlyContinue
$result = @{ TotalVMs = $vms.Count; WithManagedIdentity = 0 }
foreach ($vm in $vms) {
if ($vm.Identity.Type -ne 'None' -and $vm.Identity.Type -ne $null) {
$result.WithManagedIdentity++
}
}
return $result
}
try {
Connect-RequiredServices
if ($Monitoring) {
$r = Test-Compliance
Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host "$PolicyName" -ForegroundColor Cyan
Write-Host "========================================" -ForegroundColor Cyan
Write-Host "Total VMs: $($r.TotalVMs)" -ForegroundColor White
Write-Host "With Managed Identity: $($r.WithManagedIdentity)" -ForegroundColor $(if ($r.WithManagedIdentity -gt 0) { 'Green' } else { 'Yellow' })
}
else {
$r = Test-Compliance
Write-Host "`nManaged Identity: $($r.WithManagedIdentity)/$($r.TotalVMs) VMs"
}
}
catch { Write-Error $_; exit 1 }
# ================================================================================
# Standaard Invoke-* Functions (Auto-generated)
# ================================================================================
function Invoke-Implementation {
<#
.SYNOPSIS
Implementeert de configuratie
#>
[CmdletBinding()]
param()
Invoke-Remediation
}
function Invoke-Monitoring {
<#
.SYNOPSIS
Controleert de huidige configuratie status
#>
[CmdletBinding()]
param()
$Monitoring = $true
try {
Connect-RequiredServices
if ($Monitoring) {
$r = Test-Compliance
Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host "$PolicyName" -ForegroundColor Cyan
Write-Host "========================================" -ForegroundColor Cyan
Write-Host "Total VMs: $($r.TotalVMs)" -ForegroundColor White
Write-Host "With Managed Identity: $($r.WithManagedIdentity)" -ForegroundColor $(if ($r.WithManagedIdentity -gt 0) { 'Green' } else { 'Yellow' })
}
else {
$r = Test-Compliance
Write-Host "`nManaged Identity: $($r.WithManagedIdentity)/$($r.TotalVMs) VMs"
}
}
catch { Write-Error $_; exit 1 }
}
function Invoke-Remediation {
<#
.SYNOPSIS
Herstelt de configuratie naar de gewenste staat
.DESCRIPTION
Dit is een monitoring-only control, remediation delegeert naar monitoring
#>
[CmdletBinding()]
param()
Write-Host "[INFO] Dit is een monitoring-only control" -ForegroundColor Yellow
Write-Host "[INFO] Running monitoring check..." -ForegroundColor Cyan
Invoke-Monitoring
}
Risico zonder implementatie
Risico zonder implementatie
High: Credentials in VM config/code = credential theft risk. Hardcoded passwords, connection strings in scripts = leaked credentials. Compliance: CIS 7.1, Zero Trust. Het risico is HOOG - credential exposure.
Management Samenvatting
VM Managed Identities: System-assigned of User-assigned Managed Identities voor Azure resource access (Key Vault, Storage, SQL) WITHOUT credentials. Automatic credential rotation. Activatie: VM β Identity β System-assigned: On. Gratis. Verplicht CIS 7.1, Zero Trust. Implementatie: 2-3 uur (per VM + app code changes). Eliminates credential management.
- Implementatietijd: 3 uur
- FTE required: 0.03 FTE