Framework/Configurations/SVT/Services/LogicApps.json

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
{
  "FeatureName": "LogicApps",
  "Reference": "aka.ms/azsktcp/logicapps",
  "IsManintenanceMode": false,
  "Controls": [
    {
      "ControlID": "Azure_LogicApps_Deploy_Dont_Use_Apps_In_Same_RG_Unless_Trust",
      "Description": "Multiple Logic Apps should not be deployed in the same resource group unless they trust each other",
      "Id": "LogicApps110",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckLogicAppsInSameRG",
      "Rationale": "API Connections contain critical information like credentials/secrets, etc., provided as part of configuration. Logic App can use all API Connections present in the same Resource Group. Thus, Resource Group should be considered as security boundary when threat modeling.",
      "Recommendation": "Separate Logic Apps into different resource groups unless the apps trust each other and need to use API Connections present in the resource group.",
      "Tags": [
        "SDL",
        "Best Practice",
        "Automated",
        "Deploy"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_LogicApps_AuthN_Connectors_Use_AAD",
      "Description": "Logic App connectors must use AAD-based authentication wherever possible",
      "Id": "LogicApps120",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckConnectorsAADAuth",
      "Rationale": "Using the native enterprise directory for authentication ensures that there is a built-in high level of assurance in the user identity established for subsequent access control. All Enterprise subscriptions are automatically associated with their enterprise directory (xxx.onmicrosoft.com) and users in the native directory are trusted for authentication to enterprise subscriptions.",
      "Recommendation": "For HTTP based connectors, refer: https://docs.microsoft.com/en-us/azure/connectors/connectors-native-http#azure-active-directory-oauth-authentication. For other connectors you must manually verify that AAD authentication is used for connectors that support it.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthN"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_LogicApps_AuthZ_Connector_Use_Min_Permissions",
      "Description": "Logic App connectors must have minimum required permissions on data source",
      "Id": "LogicApps130",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "This ensures that connectors can be used only towards intended actions in the Logic App",
      "Recommendation": "Connectors must be configured with minimum permissions. E.g., 'SQL Server-Get Row' must use an account with only Read permission on the required table.",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "AuthZ"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_LogicApps_AuthZ_Grant_Min_RBAC_Access",
      "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)",
      "Id": "LogicApps140",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckRBACAccess",
      "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.",
      "Recommendation": "Assign 'Logic App Contributor' role to developers and 'Logic App Operator' role to operators. Refer: https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app#secure-access-to-manage-or-edit-logic-apps",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ",
        "RBAC"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_LogicApps_AuthZ_Provide_Triggers_Access_Control",
      "Description": "If Logic App fires on an HTTP Request (e.g. Request or Webhook) then provide IP ranges for triggers to prevent unauthorized access",
      "Id": "LogicApps150",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckTriggersAccessControl",
      "Rationale": "Specifying the IP range ensures that the triggers can be invoked only from a restricted set of endpoints.",
      "Recommendation": "Provide access control by navigating to Portal --> Logic App --> Access Control Configuration and setting the IP addresses/ranges. Do not add IP range $($this.ControlSettings.UniversalIPRange) as this means access to all IPs.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_LogicApps_AuthZ_Provide_Contents_Access_Control",
      "Description": "Must provide IP ranges for contents to prevent unauthorized access to inputs/outputs data of Logic App run history",
      "Id": "LogicApps160",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckContentsAccessControl",
      "Rationale": "Using the firewall feature ensures that access to the data or the service is restricted to a specific set/group of clients. While this may not be feasible in all scenarios, when it can be used, it provides an extra layer of access control protection for critical assets.",
      "Recommendation": "Provide access control by navigating to Portal --> Logic App --> Access Control Configuration and setting the IP addresses/ranges. Do not add IP range $($this.ControlSettings.UniversalIPRange) as this means access to all IPs.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_LogicApps_DP_Encrypt_Data_In_Transit",
      "Description": "Data transit across connectors must use encrypted channel",
      "Id": "LogicApps170",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckConnectorsEncryptionInTransit",
      "Rationale": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer man-in-the-middle, eavesdropping, session-hijacking attacks.",
      "Recommendation": "Use HTTPS URI in HTTP-based connectors. For connectors which are HTTP-based, use HTTPS URLs. For other connectors you must manually verify that encrypted connections are used by the connector protocol.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "DP"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_LogicApps_DP_Dont_Allow_PlainText_Secrets_In_Codeview",
      "Description": "Application secrets and credentials must not be in plain text in source code (code view) of a Logic App",
      "Id": "LogicApps180",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckConnectorsSecretsHandling",
      "Rationale": "Keeping secrets such as DB connection strings, passwords, keys, etc. in clear text can lead to easy compromise at various avenues during an application's lifecycle. Storing them in a key vault ensures that they are protected at rest.",
      "Recommendation": "Use 'secureString' type parameter in Logic App code view for secret parameters. Refer: https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app#secure-parameters-and-inputs-within-a-workflow",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "DP"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_LogicApps_DP_Rotate_Keys",
      "Description": "Logic App access keys must be rotated periodically",
      "Id": "LogicApps190",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Periodic key/password rotation is a good security hygiene practice as, over time, it minimizes the likelihood of data loss/compromise which can arise from key theft/brute forcing/recovery attacks.",
      "Recommendation": "Rotate access keys at regular intervals. Naviagte to Logic App --> Access Keys --> Regenerate Access Key to generate a new access key.",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "DP"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_LogicApps_Audit_Enable_Diagnostics_Log",
      "Description": "Diagnostics logs must be enabled with a retention period of at least $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) days.",
      "Id": "LogicApps200",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckDiagnosticsSettings",
      "Rationale": "Logs should be retained for a long enough period so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. A period of 1 year is typical for several compliance requirements as well.",
      "Recommendation": "Run command: Set-AzureRmDiagnosticSetting -ResourceId {'ResourceId'} -Enable `$true -StorageAccountId '{StorageAccountId}' -RetentionInDays $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) -RetentionEnabled `$true",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "Audit",
        "Diagnostics"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_LogicApps_BCDR_Backup_Periodically",
      "Description": "Logic App Code View code should be backed up periodically",
      "Id": "LogicApps210",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Logic App code view contains application's workflow logic and API connections detail which could be lost if there is no backup. No backup/disaster recovery feature is available out of the box in Logic Apps.",
      "Recommendation": "Navigate to Logic App --> Logic App Code View and save content to a backup location.",
      "Tags": [
        "SDL",
        "Best Practice",
        "Manual",
        "BCDR"
      ],
      "Enabled": true
    }
  ]
}