monkey365

0.98

rules/findings/azure/container_instances/azure-container-instances-lacks-managed-identity.json

{
    "args": [],
    "provider": "Azure",
    "serviceType": "Container Instances",
    "serviceName": "Compute",
    "displayName": "Ensure a Managed Identity is used for interactions with other Azure services",
    "description": "For containers that require access to other resources, or other resources accessing a container, an identity/credential may be required. The Managed Identity prevents needing to store credentials in code within the Container Instance. There are two types of Managed Identities for Container Instances:\n1. System Assigned: System Assigned Managed Identities provide an infrastructure integrated identity which is unique to the resource. It assigned to the Container Instance and persists for the lifecycle of the resource. Permissions can be assigned, revoked, and tuned using Azure role-based access control.\n2. User Assigned: User Assigned Managed Identities are not unique to the resource, and exist as independent Azure resources with their own lifecycle. If a Container Identity is decommissioned, the User Assigned Managed Identity will need to be decommissioned separately. User Assigned Managed Identities are not necessarily unique, and can be used across multiple resources.",
    "rationale": "Identities or credentials stored within a Container Instance or the code running on the Container Instance introduce a risk of compromise. If that identity or credential is stored in plain text, the risk is further amplified.",
    "impact": "To ensure that a Managed Identity is able to access a destination resource, the permissions and/or role assigned to that Managed Identity will need to be evaluated.",
    "remediation": {
        "text": "
            ##### Remediate from Azure Portal For each Container Instance that requires an identity or credential:
            1. Open the Container Instances blade.
            2. Select a named container instance.
            3. Click on Identity under the Settings section, then:
                * For a System Assigned identity, click the System Assigned tab then set status to On.
                * For User Assigned identities, click the User Assigned tab then click the Add button. Search for the required user managed identity, then click the Add button at the bottom of the window.
        ",
        "code": {
            "powerShell": null,
            "iac": null,
            "terraform": null,
            "other": null
        }
    },
    "recommendation": null,
    "references": [
        "https://learn.microsoft.com/en-us/azure/container-instances/container-instances-managed-identity",
        "https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal",
        "https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal-managed-identity",
        "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference"
    ],
    "compliance": [
        {
            "name": "CIS Microsoft Azure Foundations",
            "version": "2.0.0",
            "reference": "3.2",
            "profile": [
                "Level 1"
            ]
        }
    ],
    "level": "medium",
    "tags": [],
    "rule": {
        "path": "az_containers",
        "subPath": null,
        "selectCondition": {},
        "query": [
            {
                "filter": [
                    {
                        "conditions": [
                            [
                                "eq",
                                "identity"
                            ]
                        ]
                    }
                ]
            }
        ],
        "shouldExist": null,
        "returnObject": null,
        "removeIfNotExists": null
    },
    "output": {
        "html": {
            "data": {
                "properties": {
                    "name": "Name",
                    "location": "Location",
                    "properties.ipAddress.ip": "IP",
                    "properties.ipAddress.type": "Type",
                    "identity": "Identity"
                },
                "expandObject": null
            },
            "table": "default",
            "decorate": [],
            "emphasis": [],
            "actions": {
                "objectData": {
                    "properties": [
                        "name",
                        "location",
                        "identity",
                        "properties"
                    ],
                    "expandObject": null,
                    "limit": null
                },
                "showGoToButton": "True",
                "showModalButton": "True",
                "directLink": null
            }
        },
        "text": {
            "properties": {
                    "name": "Name",
                    "location": "Location",
                    "properties.ipAddress.ip": "IP",
                    "properties.ipAddress.type": "Type",
                    "identity": "Identity"
                },
            "status": {
                "keyName": ["name"],
                "message": "Ensure a Managed Identity is used for interactions with other Azure services for {name}",
                "defaultMessage": null
            },
            "properties": {
                "resourceName": "name",
                "resourceId": "id",
                "resourceType": "type"
            },
            "onlyStatus": false
        }
    },
    "idSuffix": "azure_container_registry_lacks_managed_identity",
    "notes": [],
    "categories": [],
    "immutable_properties": [
        "name",
        "id"
    ],
    "id": "azure_container_001"
}