Azure Security Assessment Tool Cheat Sheet¶

# Azure Security Assessment Tool Spickzettel

# Install Rust and Cargo
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs|sh
source ~/.cargo/env

# Verify Rust installation
rustc --version
cargo --version

# Install Git
sudo apt update
sudo apt install git

# Install Azure CLI
curl -sL https://aka.ms/InstallAzureCLIDeb|sudo bash
```## Overview
   ## Überblick

   Azure Security Assessment Tool is a comprehensive Rust-based security scanner designed to assess Azure environments with over 200 security rules. This tool provides automated security assessments, compliance checking, and vulnerability identification across Azure subscriptions. It offers detailed reporting and remediation guidance to help organizations improve their Azure security posture.

   Azure Security Assessment Tool ist ein umfassender, auf Rust basierender Sicherheitsscanner, der entwickelt wurde, um Azure-Umgebungen mit über 200 Sicherheitsregeln zu bewerten. Dieses Tool bietet automatisierte Sicherheitsbewertungen, Compliance-Überprüfungen und Identifizierung von Sicherheitslücken über Azure-Abonnements hinweg. Es liefert detaillierte Berichte und Empfehlungen zur Behebung, um Organisationen bei der Verbesserung ihrer Azure-Sicherheitslage zu unterstützen.
```bash
# Clone the repository
git clone https://github.com/nccgroup/azucar.git
cd azucar

# Build the project
cargo build --release

# The binary will be available at target/release/azucar
./target/release/azucar --version

# Install globally (optional)
cargo install --path .
```> ⚠️ **Warning**: Only use Azure Security Assessment Tool in environments you own or have explicit permission to test. Unauthorized use may violate terms of service or local laws.
   > ⚠️ **Warnung**: Verwenden Sie Azure Security Assessment Tool nur in Umgebungen, die Ihnen gehören oder für die Sie eine ausdrückliche Testerlaubnis haben. Unbefugte Nutzung kann gegen Nutzungsbedingungen oder lokale Gesetze verstoßen.

Would you like me to continue with the remaining sections? I can translate the rest of the document in the same manner. Just confirm, and I'll proceed with the translations.```bash
# Install directly from crates.io
cargo install azucar

# Verify installation
azucar --version

# Update to latest version
cargo install azucar --force

Docker Installation¶

# Pull Docker image
docker pull nccgroup/azucar:latest

# Run with Docker
docker run --rm -it nccgroup/azucar:latest --help

# Create alias for easier usage
echo 'alias azucar="docker run --rm -it -v ~/.azure:/root/.azure nccgroup/azucar:latest"' >> ~/.bashrc
source ~/.bashrc

Configuration¶

Azure Authentication¶

# Login to Azure CLI
az login

# List available subscriptions
az account list --output table

# Set specific subscription
az account set --subscription "subscription-id"

# Verify current context
az account show

# Login with service principal
az login --service-principal \
  --username "app-id" \
  --password "password" \
  --tenant "tenant-id"

Service Principal Setup¶

# Create service principal for assessment
az ad sp create-for-rbac \
  --name "AzureSecurityAssessment" \
  --role "Security Reader" \
  --scopes "/subscriptions/your-subscription-id"

# Grant additional permissions if needed
az role assignment create \
  --assignee "service-principal-id" \
  --role "Reader" \
  --scope "/subscriptions/your-subscription-id"

# For comprehensive assessment, consider these roles:
# - Security Reader
# - Reader
# - Security Admin (for remediation)

Configuration File¶

# Create configuration file
mkdir -p ~/.azucar
cat > ~/.azucar/config.toml << 'EOF'
[azure]
tenant_id = "your-tenant-id"
client_id = "your-client-id"
client_secret = "your-client-secret"
subscription_id = "your-subscription-id"

[assessment]
parallel_requests = 10
timeout_seconds = 30
retry_attempts = 3

[output]
format = "json"
include_passed = false
severity_filter = ["high", "medium"]

[rules]
exclude_rules = []
include_only = []
custom_rules_path = "~/.azucar/custom_rules"
EOF

Basic Usage¶

Quick Assessment¶

# Basic security assessment
azucar assess

# Assess specific subscription
azucar assess --subscription "subscription-id"

# Assess with specific tenant
azucar assess --tenant "tenant-id"

# Verbose output
azucar assess --verbose

# Quiet mode (errors only)
azucar assess --quiet

Targeted Assessments¶

# Assess specific resource types
azucar assess --resource-types "VirtualMachines,StorageAccounts,KeyVaults"

# Assess specific resource groups
azucar assess --resource-groups "rg-prod,rg-staging"

# Assess specific regions
azucar assess --regions "eastus,westus2"

# Exclude specific resource types
azucar assess --exclude-types "NetworkSecurityGroups"

Rule Management¶

# List available rules
azucar rules list

# Show rule details
azucar rules show --rule-id "AZR-001"

# List rules by category
azucar rules list --category "Storage"

# List rules by severity
azucar rules list --severity "high"

# Export rules to file
azucar rules export --output rules.json

Advanced Assessment¶

Comprehensive Security Scan¶

# Full comprehensive assessment
azucar assess \
  --comprehensive \
  --include-compliance \
  --include-cost-optimization \
  --include-performance \
  --parallel 20

# Assessment with custom rules
azucar assess \
  --custom-rules-path "./custom_rules" \
  --include-experimental

# Multi-subscription assessment
azucar assess \
  --subscriptions "sub1,sub2,sub3" \
  --output-dir "./multi-sub-results"

Compliance Assessments¶

# CIS Azure Foundations Benchmark
azucar assess --compliance cis-azure

# Azure Security Benchmark
azucar assess --compliance azure-security-benchmark

# NIST Cybersecurity Framework
azucar assess --compliance nist-csf

# Custom compliance framework
azucar assess --compliance-config "./custom-compliance.yaml"

# Multiple compliance frameworks
azucar assess --compliance "cis-azure,azure-security-benchmark"

Continuous Assessment¶

# Scheduled assessment script
cat > azure_security_scan.sh << 'EOF'
#!/bin/bash

# Configuration
SUBSCRIPTION_ID="your-subscription-id"
OUTPUT_DIR="/opt/azure-assessments"
DATE=$(date +%Y%m%d_%H%M%S)
REPORT_DIR="$OUTPUT_DIR/$DATE"

# Create output directory
mkdir -p "$REPORT_DIR"

# Run comprehensive assessment
azucar assess \
  --subscription "$SUBSCRIPTION_ID" \
  --comprehensive \
  --output-format "json,html,csv" \
  --output-dir "$REPORT_DIR" \
  --verbose

# Generate summary report
azucar report generate \
  --input "$REPORT_DIR/assessment.json" \
  --template "executive-summary" \
  --output "$REPORT_DIR/executive-summary.pdf"

# Send alerts for critical findings
azucar report alert \
  --input "$REPORT_DIR/assessment.json" \
  --severity "critical" \
  --webhook "https://your-webhook-url"

echo "Assessment completed: $REPORT_DIR"
EOF

chmod +x azure_security_scan.sh

# Schedule with cron (daily at 2 AM)
echo "0 2 * * * /opt/azure_security_scan.sh"|crontab -

Output and Reporting¶

Output Formats¶

# JSON output (default)
azucar assess --output-format json

# HTML report
azucar assess --output-format html

# CSV export
azucar assess --output-format csv

# XML output
azucar assess --output-format xml

# Multiple formats
azucar assess --output-format "json,html,csv"

# Custom output file
azucar assess --output-file "security-assessment-$(date +%Y%m%d).json"

Report Generation¶

# Generate executive summary
azucar report generate \
  --input assessment.json \
  --template executive-summary \
  --output executive-report.pdf

# Generate technical report
azucar report generate \
  --input assessment.json \
  --template technical-details \
  --output technical-report.html

# Generate compliance report
azucar report generate \
  --input assessment.json \
  --template compliance-matrix \
  --compliance cis-azure \
  --output compliance-report.xlsx

# Custom report template
azucar report generate \
  --input assessment.json \
  --template-file "./custom-template.jinja2" \
  --output custom-report.html

Filtering and Analysis¶

# Filter by severity
azucar assess --severity-filter "critical,high"

# Filter by category
azucar assess --category-filter "Security,Compliance"

# Include only failed checks
azucar assess --failed-only

# Include passed checks
azucar assess --include-passed

# Filter by resource tags
azucar assess --tag-filter "Environment=Production"

# Exclude specific resources
azucar assess --exclude-resources "resource-id-1,resource-id-2"

Custom Rules Development¶

Rule Structure¶

# Example custom rule: custom_rules/storage_encryption.yaml
id: "CUSTOM-001"
name: "Storage Account Encryption at Rest"
description: "Ensure storage accounts have encryption at rest enabled"
category: "Storage"
severity: "high"
resource_types:
  - "Microsoft.Storage/storageAccounts"

conditions:
  - field: "properties.encryption.services.blob.enabled"
    operator: "equals"
    value: true
  - field: "properties.encryption.services.file.enabled"
    operator: "equals"
    value: true

remediation:
  description: "Enable encryption at rest for blob and file services"
  steps:
    - "Navigate to Storage Account in Azure Portal"
    - "Go to Security + networking > Encryption"
    - "Enable encryption for Blob and File services"

automation:
  azure_cli:|
    az storage account update \
      --name \\\\{resource_name\\\\} \
      --resource-group \\\\{resource_group\\\\} \
      --encryption-services blob file

references:
  - "https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption"

Rule Development¶

# Create custom rule directory
mkdir -p ~/.azucar/custom_rules

# Validate custom rules
azucar rules validate --rules-path "~/.azucar/custom_rules"

# Test custom rule
azucar assess \
  --custom-rules-path "~/.azucar/custom_rules" \
  --rule-id "CUSTOM-001" \
  --dry-run

# Export rule template
azucar rules template --output rule-template.yaml

Advanced Rule Examples¶

```yaml

Network Security Group rule¶

id: "CUSTOM-002" name: "NSG SSH Access Restriction" description: "Ensure NSGs don't allow SSH access from any source" category: "Network" severity: "critical" resource_types: - "Microsoft.Network/networkSecurityGroups"

conditions: - field: "properties.securityRules" operator: "not_contains" value: properties: access: "Allow" direction: "Inbound" destinationPortRange: "22" sourceAddressPrefix: "*"

Key Vault rule¶

id: "CUSTOM-003" name: "Key Vault Soft Delete" description: "Ensure Key Vaults have soft delete enabled" category: "Security" severity: "medium" resource_types: - "Microsoft.KeyVault/vaults"

conditions: - field: "properties.enableSoftDelete" operator: "equals" value: true - field: "properties.softDeleteRetentionInDays" operator: "greater_than" value: 7 ## Integration und Automatisierungyaml

Azure DevOps Pipeline¶

trigger: branches: include: - main - develop

pool: vmImage: 'ubuntu-latest'

variables: AZURE_SUBSCRIPTION_ID: $(subscription-id) AZURE_TENANT_ID: $(tenant-id)

steps: - task: AzureCLI@2 displayName: 'Azure Security Assessment' inputs: azureSubscription: 'azure-service-connection' scriptType: 'bash' scriptLocation: 'inlineScript' inlineScript:| # Install azucar cargo install azucar

  # Run security assessment
  azucar assess \
    --subscription $(AZURE_SUBSCRIPTION_ID) \
    --output-format json \
    --output-file security-assessment.json \
    --severity-filter "critical,high"

  # Check for critical findings
  CRITICAL_COUNT=$(jq '.findings[]|select(.severity == "critical")|length' security-assessment.json)

  if [ "$CRITICAL_COUNT" -gt 0 ]; then
    echo "##vso[task.logissue type=error]Found $CRITICAL_COUNT critical security issues"
    exit 1
  fi

task: PublishTestResults@2 displayName: 'Publish Security Assessment Results' inputs: testResultsFormat: 'JUnit' testResultsFiles: 'security-assessment.xml' failTaskOnFailedTests: true ### GitHub Actions Integrationyaml

.github/workflows/azure-security.yml¶

name: Azure Security Assessment

on: schedule: - cron: '0 2 * * *' # Daily at 2 AM push: branches: [ main ] pull_request: branches: [ main ]

jobs: security-assessment: runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v3

- name: Setup Rust
  uses: actions-rs/toolchain@v1
  with:
    toolchain: stable
    override: true

- name: Install Azure Security Assessment Tool
  run: cargo install azucar

- name: Azure Login
  uses: azure/login@v1
  with:
    creds: $\\\\{\\\\{ secrets.AZURE_CREDENTIALS \\\\}\\\\}

- name: Run Security Assessment
  run:|
    azucar assess \
      --subscription $\\\\{\\\\{ secrets.AZURE_SUBSCRIPTION_ID \\\\}\\\\} \
      --output-format json \
      --output-file assessment.json \
      --comprehensive

- name: Generate Report
  run:|
    azucar report generate \
      --input assessment.json \
      --template executive-summary \
      --output security-report.html

- name: Upload Assessment Results
  uses: actions/upload-artifact@v3
  with:
    name: security-assessment
    path:|
      assessment.json
      security-report.html

- name: Check for Critical Issues
  run:|
    CRITICAL=$(jq '.findings[]|select(.severity == "critical")|length' assessment.json)
    if [ "$CRITICAL" -gt 0 ]; then
      echo "::error::Found $CRITICAL critical security issues"
      exit 1
    fi

### PowerShell Automatisierungpowershell

Azure Security Assessment PowerShell Module¶

function Invoke-AzureSecurityAssessment \\{ param( [string]$SubscriptionId, [string]$ResourceGroup, [string]$OutputPath = ".\assessment-results", [string[]]$Severity = @("critical", "high"), [switch]$Comprehensive, [switch]$GenerateReport )

# Ensure output directory exists
if (!(Test-Path $OutputPath)) \\\\{
    New-Item -ItemType Directory -Path $OutputPath -Force
\\\\}

# Build assessment command
$cmd = "azucar assess"

if ($SubscriptionId) \\\\{
    $cmd += " --subscription `"$SubscriptionId`""
\\\\}

if ($ResourceGroup) \\\\{
    $cmd += " --resource-groups `"$ResourceGroup`""
\\\\}

if ($Comprehensive) \\\\{
    $cmd += " --comprehensive"
\\\\}

if ($Severity) \\\\{
    $severityFilter = $Severity -join ","
    $cmd += " --severity-filter `"$severityFilter`""
\\\\}

$timestamp = Get-Date -Format "yyyyMMdd_HHmmss"
$outputFile = Join-Path $OutputPath "assessment_$timestamp.json"
$cmd += " --output-file `"$outputFile`""

try \\\\{
    Write-Host "[+] Running Azure Security Assessment..."
    Invoke-Expression $cmd

    if ($GenerateReport) \\\\{
        Write-Host "[+] Generating HTML report..."
        $reportFile = Join-Path $OutputPath "report_$timestamp.html"
        $reportCmd = "azucar report generate --input `"$outputFile`" --template executive-summary --output `"$reportFile`""
        Invoke-Expression $reportCmd
    \\\\}

    # Parse results
    $assessment = Get-Content $outputFile|ConvertFrom-Json
    $findings = $assessment.findings

    $summary = @\\\\{
        Total = $findings.Count
        Critical = ($findings|Where-Object \\\\{ $_.severity -eq "critical" \\\\}).Count
        High = ($findings|Where-Object \\\\{ $_.severity -eq "high" \\\\}).Count
        Medium = ($findings|Where-Object \\\\{ $_.severity -eq "medium" \\\\}).Count
        Low = ($findings|Where-Object \\\\{ $_.severity -eq "low" \\\\}).Count
    \\\\}

    Write-Host "[+] Assessment Summary:"
    Write-Host "    Total Findings: $($summary.Total)"
    Write-Host "    Critical: $($summary.Critical)"
    Write-Host "    High: $($summary.High)"
    Write-Host "    Medium: $($summary.Medium)"
    Write-Host "    Low: $($summary.Low)"

    return @\\\\{
        OutputFile = $outputFile
        Summary = $summary
        Findings = $findings
    \\\\}

\\\\} catch \\\\{
    Write-Error "[-] Assessment failed: $($_.Exception.Message)"
    return $null
\\\\}

\\}

Usage examples¶

$result = Invoke-AzureSecurityAssessment -SubscriptionId "your-sub-id" -Comprehensive -GenerateReport

Check for critical issues¶

if ($result.Summary.Critical -gt 0) \\{ Write-Warning "Found $($result.Summary.Critical) critical security issues!" \\} ## Fehlerbehebungbash

Check Azure CLI authentication¶

az account show

Re-authenticate¶

az login --tenant "tenant-id"

Verify service principal permissions¶

az role assignment list --assignee "service-principal-id"

Test API access¶

az rest --method get --url "https://management.azure.com/subscriptions/your-sub-id/resources?api-version=2021-04-01" ### Häufige Problemebash

Check required permissions¶

az role definition show --name "Security Reader"

Grant additional permissions¶

az role assignment create \ --assignee "principal-id" \ --role "Reader" \ --scope "/subscriptions/subscription-id"

List current permissions¶

az role assignment list --assignee "principal-id" --output table #### Authentifizierungsproblemebash

Reduce parallel requests¶

azucar assess --parallel 5

Increase timeout¶

azucar assess --timeout 60

Assess specific regions only¶

azucar assess --regions "eastus"

Exclude large resource types¶

azucar assess --exclude-types "Microsoft.Compute/virtualMachines" #### Berechtigungsproblemebash

Validate custom rules¶

azucar rules validate --rules-path "./custom_rules"

Test specific rule¶

azucar assess --rule-id "AZR-001" --dry-run

Debug rule execution¶

azucar assess --rule-id "AZR-001" --verbose --debug

Export default rules for reference¶

azucar rules export --output default-rules.json #### Leistungsproblemebash

Enable debug logging¶

export RUST_LOG=debug azucar assess --verbose

Save logs to file¶

azucar assess --verbose 2>&1|tee assessment.log

Check specific rule execution¶

azucar assess --rule-id "AZR-001" --debug

Validate configuration¶

azucar config validate ```#### Regelprobleme https://github.com/nccgroup/azucar##

Debugging und Logging¶

https://docs.microsoft.com/en-us/azure/security/#

Ressourcen¶

https://docs.microsoft.com/en-us/azure/security/benchmarks/- Azure Security Assessment Tool Repository https://docs.microsoft.com/en-us/azure/role-based-access-control/- Azure Sicherheitsdokumentation https://docs.microsoft.com/en-us/rest/api/azure/- [Azure Sicherheits-Benchmark](