Hoja de Referencia de Herramienta de Auditoría de Seguridad Azure Azucar¶
Descripción General¶
Azucar es una herramienta de auditoría de seguridad de código abierto para entornos Azure desarrollada por Juan Garrido. Recopila automáticamente una variedad de datos de configuración de Azure Active Directory, Azure SQL Databases, Storage Accounts, Key Vaults y otros servicios de Azure para ayudar a identificar posibles problemas de seguridad y configuraciones incorrectas.
⚠️ Advertencia: Esta herramienta está destinada únicamente a evaluaciones de seguridad autorizadas y auditorías. Asegúrese de tener la autorización adecuada antes de usar en cualquier entorno.
Instalación¶
Instalación desde PowerShell Gallery¶
# Install from PowerShell Gallery
Install-Module -Name Azucar
# Install for current user only
Install-Module -Name Azucar -Scope CurrentUser
# Update existing installation
Update-Module -Name Azucar
# Import module
Import-Module Azucar
Instalación Manual¶
# Download from GitHub
Invoke-WebRequest -Uri "https://github.com/nccgroup/azucar/archive/master.zip" -OutFile "Azucar.zip"
Expand-Archive -Path "Azucar.zip" -DestinationPath "C:\Tools\"
# Import module
Import-Module C:\Tools\Azucar-master\Azucar.psd1
# Install dependencies
Install-Module -Name Az
Install-Module -Name AzureAD
Instalación con Git¶
# Clone repository
git clone https://github.com/nccgroup/azucar.git
cd azucar
# Import in PowerShell
Import-Module .\Azucar.psd1
Uso Básico¶
Configuración del Módulo¶
# Import Azucar
Import-Module Azucar
# Get available commands
Get-Command -Module Azucar
# Get help for main function
Get-Help Invoke-Azucar -Full
# Check module version
Get-Module Azucar
Autenticación¶
# Interactive authentication
Connect-AzAccount
# Service principal authentication
$credential = Get-Credential
Connect-AzAccount -ServicePrincipal -Credential $credential -TenantId "tenant-id"
# Certificate authentication
Connect-AzAccount -ServicePrincipal -CertificateThumbprint "thumbprint" -ApplicationId "app-id" -TenantId "tenant-id"
Referencia de Comandos¶
Comandos Principales¶
| Comando | Descripción |
|---|---|
Invoke-Azucar |
Función principal de auditoría |
Get-AzucarReport |
Generar informe de auditoría |
Export-AzucarData |
Exportar datos de auditoría |
Set-AzucarConfig |
Configurar configuración de auditoría |
| ### Opciones de Auditoría | |
| Parámetro | Descripción |
| ----------- | ------------- |
-TenantId |
ID de inquilino de Azure AD |
-SubscriptionId |
ID de suscripción de Azure |
-OutputPath |
Ruta del directorio de salida |
-Format |
Formato de informe (HTML/JSON/CSV) |
-Verbose |
Habilitar salida detallada |
| ## Auditoría de Seguridad Completa |
Auditoría Básica¶
# Run basic security audit
Invoke-Azucar
# Audit specific tenant
Invoke-Azucar -TenantId "tenant-id"
# Audit specific subscription
Invoke-Azucar -SubscriptionId "subscription-id"
# Audit with custom output path
Invoke-Azucar -OutputPath "C:\AzureAudit\"
Opciones de Auditoría Avanzada¶
# Comprehensive audit with all checks
Invoke-Azucar -All
# Audit specific services
Invoke-Azucar -Services @("AzureAD", "Storage", "KeyVault", "SQL")
# Audit with specific compliance framework
Invoke-Azucar -ComplianceFramework "CIS"
# Audit with custom configuration
Invoke-Azucar -ConfigFile "custom-config.json"
Auditoría Multi-Inquilino¶
# Audit multiple tenants
$tenants = @("tenant1-id", "tenant2-id", "tenant3-id")
foreach ($tenant in $tenants) \\\\{
Invoke-Azucar -TenantId $tenant -OutputPath "C:\AzureAudit\$tenant\"
\\\\}
# Audit all accessible tenants
$allTenants = Get-AzTenant
foreach ($tenant in $allTenants) \\\\{
Invoke-Azucar -TenantId $tenant.Id -OutputPath "C:\AzureAudit\$($tenant.Id)\"
\\\\}
Auditoría de Azure Active Directory¶
Análisis de Usuarios y Grupos¶
# Audit Azure AD users
Invoke-Azucar -Services @("AzureAD") -Focus "Users"
# Check for privileged users
Invoke-Azucar -Services @("AzureAD") -Focus "PrivilegedUsers"
# Audit group memberships
Invoke-Azucar -Services @("AzureAD") -Focus "Groups"
# Check guest user access
Invoke-Azucar -Services @("AzureAD") -Focus "GuestUsers"
Análisis de Aplicaciones y Entidades de Servicio¶
# Audit applications
Invoke-Azucar -Services @("AzureAD") -Focus "Applications"
# Check application permissions
Invoke-Azucar -Services @("AzureAD") -Focus "ApplicationPermissions"
# Audit service principals
Invoke-Azucar -Services @("AzureAD") -Focus "ServicePrincipals"
# Check for overprivileged applications
Invoke-Azucar -Services @("AzureAD") -Focus "HighPrivilegeApps"
Políticas de Acceso Condicional y Seguridad¶
# Audit Conditional Access policies
Invoke-Azucar -Services @("AzureAD") -Focus "ConditionalAccess"
# Check MFA configuration
Invoke-Azucar -Services @("AzureAD") -Focus "MFA"
# Audit password policies
Invoke-Azucar -Services @("AzureAD") -Focus "PasswordPolicies"
# Check security defaults
Invoke-Azucar -Services @("AzureAD") -Focus "SecurityDefaults"
Auditoría de Recursos de Azure¶
Seguridad de Storage Accounts¶
# Audit storage accounts
Invoke-Azucar -Services @("Storage")
# Check storage account access
Invoke-Azucar -Services @("Storage") -Focus "PublicAccess"
# Audit storage encryption
Invoke-Azucar -Services @("Storage") -Focus "Encryption"
# Check storage account keys
Invoke-Azucar -Services @("Storage") -Focus "AccessKeys"
Seguridad de Key Vault¶
# Audit Key Vaults
Invoke-Azucar -Services @("KeyVault")
# Check Key Vault access policies
Invoke-Azucar -Services @("KeyVault") -Focus "AccessPolicies"
# Audit Key Vault secrets
Invoke-Azucar -Services @("KeyVault") -Focus "Secrets"
# Check Key Vault network access
Invoke-Azucar -Services @("KeyVault") -Focus "NetworkAccess"
Seguridad de Bases de Datos SQL¶
# Audit SQL databases
Invoke-Azucar -Services @("SQL")
# Check SQL server firewall rules
Invoke-Azucar -Services @("SQL") -Focus "FirewallRules"
# Audit SQL database encryption
Invoke-Azucar -Services @("SQL") -Focus "Encryption"
# Check SQL auditing configuration
Invoke-Azucar -Services @("SQL") -Focus "Auditing"
Seguridad de Máquinas Virtuales¶
# Audit virtual machines
Invoke-Azucar -Services @("VirtualMachines")
# Check VM network security groups
Invoke-Azucar -Services @("VirtualMachines") -Focus "NetworkSecurity"
# Audit VM disk encryption
Invoke-Azucar -Services @("VirtualMachines") -Focus "DiskEncryption"
# Check VM backup configuration
Invoke-Azucar -Services @("VirtualMachines") -Focus "Backup"
Auditoría de Seguridad de Red¶
Grupos de Seguridad de Red¶
# Audit network security groups
Invoke-Azucar -Services @("Network") -Focus "SecurityGroups"
# Check for overly permissive rules
Invoke-Azucar -Services @("Network") -Focus "PermissiveRules"
# Audit inbound rules
Invoke-Azucar -Services @("Network") -Focus "InboundRules"
# Check for default rules
Invoke-Azucar -Services @("Network") -Focus "DefaultRules"
Configuración de Red Virtual```powershell¶
Audit virtual networks¶
Invoke-Azucar -Services @("Network") -Focus "VirtualNetworks"
Check subnet configuration¶
Invoke-Azucar -Services @("Network") -Focus "Subnets"
Audit network peering¶
Invoke-Azucar -Services @("Network") -Focus "Peering"
Check DNS configuration¶
Invoke-Azucar -Services @("Network") -Focus "DNS"
## Cumplimiento y Gobernanzapowershell
Run CIS Azure benchmark¶
Invoke-Azucar -ComplianceFramework "CIS"
Generate CIS compliance report¶
Invoke-Azucar -ComplianceFramework "CIS" -Format "HTML" -OutputPath "C:\CIS_Report\"
Check specific CIS controls¶
Invoke-Azucar -ComplianceFramework "CIS" -Controls @("1.1", "1.2", "2.1")
### Integración de Azure Security Centerpowershell
Audit Security Center configuration¶
Invoke-Azucar -Services @("SecurityCenter")
Check security policies¶
Invoke-Azucar -Services @("SecurityCenter") -Focus "Policies"
Audit security recommendations¶
Invoke-Azucar -Services @("SecurityCenter") -Focus "Recommendations"
Check security alerts¶
Invoke-Azucar -Services @("SecurityCenter") -Focus "Alerts"
### Gobernanza de Recursospowershell
Audit resource groups¶
Invoke-Azucar -Services @("ResourceManagement") -Focus "ResourceGroups"
Check resource tags¶
Invoke-Azucar -Services @("ResourceManagement") -Focus "Tags"
Audit resource locks¶
Invoke-Azucar -Services @("ResourceManagement") -Focus "Locks"
Check resource policies¶
Invoke-Azucar -Services @("ResourceManagement") -Focus "Policies"
## Generación y Análisis de Informespowershell
Generate HTML report¶
Invoke-Azucar -Format "HTML" -OutputPath "C:\AzureAudit\"
Generate detailed HTML report¶
Invoke-Azucar -Format "HTML" -Detailed -OutputPath "C:\AzureAudit\"
Generate executive summary¶
Invoke-Azucar -Format "HTML" -Summary -OutputPath "C:\AzureAudit\"
### Informes HTMLpowershell
Export to JSON¶
Invoke-Azucar -Format "JSON" -OutputPath "C:\AzureAudit\"
Export to CSV¶
Invoke-Azucar -Format "CSV" -OutputPath "C:\AzureAudit\"
Export raw data¶
Invoke-Azucar -Format "Raw" -OutputPath "C:\AzureAudit\"
### Exportación a JSON y CSVpowershell
Use custom report template¶
Invoke-Azucar -Template "custom-template.html" -OutputPath "C:\AzureAudit\"
Generate report with custom branding¶
Invoke-Azucar -Template "branded-template.html" -CompanyName "Your Company" -OutputPath "C:\AzureAudit\"
### Plantillas de Informes Personalizadosjson
\\{
"AuditSettings": \\{
"IncludeServices": ["AzureAD", "Storage", "KeyVault", "SQL"],
"ExcludeChecks": ["LowPriority"],
"OutputFormat": "HTML",
"DetailLevel": "High"
\\},
"ComplianceFrameworks": \\{
"CIS": \\{
"Version": "1.3.0",
"IncludeControls": ["1.", "2.", "3.*"]
\\}
\\},
"ReportSettings": \\{
"IncludeRecommendations": true,
"IncludeEvidence": true,
"GroupByService": true
\\}
\\}
## Configuración Avanzadapowershell
Set custom configuration¶
$config = @\\{ Services = @("AzureAD", "Storage", "KeyVault") OutputFormat = "HTML" DetailLevel = "High" IncludeRecommendations = $true \\}
Set-AzucarConfig -Configuration $config
Run audit with custom configuration¶
Invoke-Azucar -UseCustomConfig
### Archivo de Configuración Personalizadopowershell
Exclude specific resource groups¶
Invoke-Azucar -ExcludeResourceGroups @("test-rg", "dev-rg")
Include only specific subscriptions¶
Invoke-Azucar -IncludeSubscriptions @("sub1-id", "sub2-id")
Exclude low-priority findings¶
Invoke-Azucar -ExcludeSeverity @("Low", "Informational")
Filter by resource tags¶
Invoke-Azucar -FilterByTags @\\{Environment="Production"; Owner="Security"\\}
### Configuración de PowerShellpowershell
Automated Azure security audit script¶
param( [string]\(TenantId, [string]\)OutputPath = "C:\AzureAudit", [string]$EmailRecipients = "security@company.com" )
Create output directory with timestamp¶
$timestamp = Get-Date -Format "yyyyMMdd_HHmmss" $auditPath = Join-Path \(OutputPath "Audit_\)timestamp" New-Item -ItemType Directory -Path $auditPath -Force
Authenticate to Azure¶
Connect-AzAccount -TenantId $TenantId
Run comprehensive audit¶
Write-Host "Starting Azure security audit..." Invoke-Azucar -All -Format "HTML" -OutputPath $auditPath
Generate summary report¶
$reportPath = Join-Path $auditPath "AzureSecurityAudit.html" if (Test-Path $reportPath) \\{ Write-Host "Audit completed successfully"
# Send email notification
$subject = "Azure Security Audit Completed - $timestamp"
$body = "Azure security audit has been completed. Report available at: $reportPath"
Send-MailMessage -To $EmailRecipients -Subject $subject -Body $body -Attachments $reportPath
\\} else \\{
Write-Error "Audit failed - report not generated"
\\}
### Filtrado y Exclusionespowershell
Create scheduled task for regular audits¶
$action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\AzureAudit.ps1" $trigger = New-ScheduledTaskTrigger -Weekly -DaysOfWeek Monday -At 6AM $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries
Register-ScheduledTask -TaskName "Azure Security Audit" -Action $action -Trigger $trigger -Settings $settings
## Automatización y Programaciónpowershell
Continuous monitoring script¶
param( [int]\(IntervalHours = 24, [string]\)LogPath = "C:\AzureAudit\monitoring.log" )
while ($true) \\{ \(timestamp = Get-Date Write-Output "[\)timestamp] Starting Azure security monitoring"|Tee-Object -FilePath $LogPath -Append
try \\\\{
# Run quick security check
$findings = Invoke-Azucar -Quick -Format "JSON"
# Check for critical findings
$criticalFindings = $findings|Where-Object \\\\{$_.Severity -eq "Critical"\\\\}
if ($criticalFindings) \\\\{
Write-Output "[$timestamp] Critical findings detected: $($criticalFindings.Count)"|Tee-Object -FilePath $LogPath -Append
# Send alert
$alertSubject = "ALERT: Critical Azure Security Findings"
$alertBody = "Critical security findings detected in Azure environment. Immediate attention required."
Send-MailMessage -To "security@company.com" -Subject $alertSubject -Body $alertBody
\\\\}
\\\\}
catch \\\\{
Write-Output "[$timestamp] Error during monitoring: $($_.Exception.Message)"|Tee-Object -FilePath $LogPath -Append
\\\\}
Start-Sleep -Seconds ($IntervalHours * 3600)
\\}
### Script de Auditoría Automatizadopowershell
Clear cached credentials¶
Clear-AzContext -Force
Test authentication¶
$context = Get-AzContext if (-not $context) \\{ Write-Error "Not authenticated to Azure" Connect-AzAccount \\}
Verify permissions¶
$currentUser = Get-AzADUser -UserPrincipalName (Get-AzContext).Account.Id
Write-Output "Current user: \((\)currentUser.DisplayName)"
### Creación de Tareas Programadaspowershell
Check Azucar installation¶
Get-Module Azucar -ListAvailable
Update Azucar¶
Update-Module Azucar -Force
Reinstall if necessary¶
Uninstall-Module Azucar Install-Module Azucar -Force
Check dependencies¶
Get-Module Az -ListAvailable
Get-Module AzureAD -ListAvailable
### Monitoreo Continuopowershell
Check required permissions¶
$requiredPermissions = @( "Directory.Read.All", "User.Read.All", "Application.Read.All", "Policy.Read.All" )
foreach ($permission in $requiredPermissions) \\{
try \\{
# Test permission by attempting to read data
Write-Output "Testing permission: $permission"
\\}
catch \\{
Write-Warning "Missing permission: $permission"
\\}
\\}
## Resolución de Problemaspowershell
Run audit with reduced scope¶
Invoke-Azucar -Services @("AzureAD") -Quick
Use parallel processing¶
Invoke-Azucar -Parallel -MaxThreads 5
Exclude large datasets¶
Invoke-Azucar -ExcludeServices @("Logs", "Metrics")
### Problemas de Autenticaciónpowershell
Export findings to SIEM format¶
$findings = Invoke-Azucar -Format "JSON"
$siemEvents = $findings|ForEach-Object \\{
@\\{
timestamp = Get-Date -Format "yyyy-MM-ddTHH
ssZ"
source = "Azucar"
severity = $.Severity
finding = $.Description
resource = $_.ResourceId
\\}
\\}
Send to SIEM¶
$siemEvents|ConvertTo-Json|Out-File "siem_events.json"
### Problemas de Módulospowershell
Export data for PowerBI¶
$auditData = Invoke-Azucar -Format "CSV"
Create PowerBI dataset¶
$powerBIData = @\\{ findings = $auditData.Findings resources = $auditData.Resources compliance = $auditData.Compliance \\}
$powerBIData|ConvertTo-Json|Out-File "powerbi_data.json"
### Problemas de Permisosyaml
Azure DevOps pipeline for security auditing¶
trigger: schedules: - cron: "0 6 * * 1" displayName: Weekly security audit branches: include: - main
pool: vmImage: 'windows-latest'
steps: - task: AzurePowerShell@5 inputs: azureSubscription: 'Azure-Subscription' ScriptType: 'InlineScript' Inline:| Install-Module -Name Azucar -Force Import-Module Azucar Invoke-Azucar -All -Format "HTML" -OutputPath "$(Build.ArtifactStagingDirectory)" azurePowerShellVersion: 'LatestVersion'
- task: PublishBuildArtifacts@1 inputs: PathtoPublish: '$(Build.ArtifactStagingDirectory)' ArtifactName: 'AzureSecurityAudit' ```### Problemas de Rendimiento https://github.com/nccgroup/azucar)
- Blog de NCC Group
- Documentación de Seguridad de Azure
- Referencia de CIS para Azure
- Centro de Seguridad de Azure
Esta hoja de referencia proporciona una referencia completa para usar Azucar. Siempre asegúrese de tener la autorización adecuada antes de realizar evaluaciones de seguridad de Azure.