Azucar Azure Security Auditing Tool Cheat Sheet
Panoramica
Azucar è uno strumento open-source per l’audit di sicurezza per ambienti Azure sviluppato da Juan Garrido. Raccoglie automaticamente una varietà di dati di configurazione da Azure Active Directory, Database SQL di Azure, Account di Archiviazione, Key Vault e altri servizi Azure per aiutare a identificare potenziali problemi di sicurezza e configurazioni errate.
⚠️ Avvertenza: Questo strumento è destinato esclusivamente a valutazioni di sicurezza autorizzate e audit. Assicurati di avere l’autorizzazione prima di utilizzarlo in qualsiasi ambiente.
Installazione
Installazione da PowerShell Gallery
# Install from PowerShell Gallery
Install-Module -Name Azucar
# Install for current user only
Install-Module -Name Azucar -Scope CurrentUser
# Update existing installation
Update-Module -Name Azucar
# Import module
Import-Module AzucarInstallazione Manuale
# Download from GitHub
Invoke-WebRequest -Uri "https://github.com/nccgroup/azucar/archive/master.zip" -OutFile "Azucar.zip"
Expand-Archive -Path "Azucar.zip" -DestinationPath "C:\Tools\"
# Import module
Import-Module C:\Tools\Azucar-master\Azucar.psd1
# Install dependencies
Install-Module -Name Az
Install-Module -Name AzureADInstallazione da Git
# Clone repository
git clone https://github.com/nccgroup/azucar.git
cd azucar
# Import in PowerShell
Import-Module .\Azucar.psd1Utilizzo Base
Configurazione del Modulo
# Import Azucar
Import-Module Azucar
# Get available commands
Get-Command -Module Azucar
# Get help for main function
Get-Help Invoke-Azucar -Full
# Check module version
Get-Module AzucarAutenticazione
# Interactive authentication
Connect-AzAccount
# Service principal authentication
$credential = Get-Credential
Connect-AzAccount -ServicePrincipal -Credential $credential -TenantId "tenant-id"
# Certificate authentication
Connect-AzAccount -ServicePrincipal -CertificateThumbprint "thumbprint" -ApplicationId "app-id" -TenantId "tenant-id"Riferimenti dei Comandi
Comandi Principali
| Comando | Descrizione |
|---|---|
Invoke-Azucar | Funzione principale di audit |
Get-AzucarReport | Genera report di audit |
Export-AzucarData | Esporta dati di audit |
Set-AzucarConfig | Configura impostazioni di audit |
Opzioni di Audit
| Parametro | Descrizione |
|---|---|
-TenantId | ID tenant di Azure AD |
-SubscriptionId | ID sottoscrizione Azure |
-OutputPath | Percorso directory di output |
-Format | Formato del report (HTML/JSON/CSV) |
-Verbose | Attiva output dettagliato |
Audit Completo di Sicurezza
Audit Base
# Run basic security audit
Invoke-Azucar
# Audit specific tenant
Invoke-Azucar -TenantId "tenant-id"
# Audit specific subscription
Invoke-Azucar -SubscriptionId "subscription-id"
# Audit with custom output path
Invoke-Azucar -OutputPath "C:\AzureAudit\"Opzioni di Audit Avanzate
# Comprehensive audit with all checks
Invoke-Azucar -All
# Audit specific services
Invoke-Azucar -Services @("AzureAD", "Storage", "KeyVault", "SQL")
# Audit with specific compliance framework
Invoke-Azucar -ComplianceFramework "CIS"
# Audit with custom configuration
Invoke-Azucar -ConfigFile "custom-config.json"Audit Multi-Tenant
# Audit multiple tenants
$tenants = @("tenant1-id", "tenant2-id", "tenant3-id")
foreach ($tenant in $tenants) \\\\{
Invoke-Azucar -TenantId $tenant -OutputPath "C:\AzureAudit\$tenant\"
\\\\}
# Audit all accessible tenants
$allTenants = Get-AzTenant
foreach ($tenant in $allTenants) \\\\{
Invoke-Azucar -TenantId $tenant.Id -OutputPath "C:\AzureAudit\$($tenant.Id)\"
\\\\}Audit di Azure Active Directory
Analisi di Utenti e Gruppi
# Audit Azure AD users
Invoke-Azucar -Services @("AzureAD") -Focus "Users"
# Check for privileged users
Invoke-Azucar -Services @("AzureAD") -Focus "PrivilegedUsers"
# Audit group memberships
Invoke-Azucar -Services @("AzureAD") -Focus "Groups"
# Check guest user access
Invoke-Azucar -Services @("AzureAD") -Focus "GuestUsers"Analisi di Applicazioni e Service Principal
# Audit applications
Invoke-Azucar -Services @("AzureAD") -Focus "Applications"
# Check application permissions
Invoke-Azucar -Services @("AzureAD") -Focus "ApplicationPermissions"
# Audit service principals
Invoke-Azucar -Services @("AzureAD") -Focus "ServicePrincipals"
# Check for overprivileged applications
Invoke-Azucar -Services @("AzureAD") -Focus "HighPrivilegeApps"Criteri di Accesso Condizionale e Sicurezza
# Audit Conditional Access policies
Invoke-Azucar -Services @("AzureAD") -Focus "ConditionalAccess"
# Check MFA configuration
Invoke-Azucar -Services @("AzureAD") -Focus "MFA"
# Audit password policies
Invoke-Azucar -Services @("AzureAD") -Focus "PasswordPolicies"
# Check security defaults
Invoke-Azucar -Services @("AzureAD") -Focus "SecurityDefaults"Audit delle Risorse Azure
Sicurezza degli Account di Archiviazione
# Audit storage accounts
Invoke-Azucar -Services @("Storage")
# Check storage account access
Invoke-Azucar -Services @("Storage") -Focus "PublicAccess"
# Audit storage encryption
Invoke-Azucar -Services @("Storage") -Focus "Encryption"
# Check storage account keys
Invoke-Azucar -Services @("Storage") -Focus "AccessKeys"Sicurezza dei Key Vault
# Audit Key Vaults
Invoke-Azucar -Services @("KeyVault")
# Check Key Vault access policies
Invoke-Azucar -Services @("KeyVault") -Focus "AccessPolicies"
# Audit Key Vault secrets
Invoke-Azucar -Services @("KeyVault") -Focus "Secrets"
# Check Key Vault network access
Invoke-Azucar -Services @("KeyVault") -Focus "NetworkAccess"Sicurezza dei Database SQL
# Audit SQL databases
Invoke-Azucar -Services @("SQL")
# Check SQL server firewall rules
Invoke-Azucar -Services @("SQL") -Focus "FirewallRules"
# Audit SQL database encryption
Invoke-Azucar -Services @("SQL") -Focus "Encryption"
# Check SQL auditing configuration
Invoke-Azucar -Services @("SQL") -Focus "Auditing"Sicurezza delle Macchine Virtuali
# Audit virtual machines
Invoke-Azucar -Services @("VirtualMachines")
# Check VM network security groups
Invoke-Azucar -Services @("VirtualMachines") -Focus "NetworkSecurity"
# Audit VM disk encryption
Invoke-Azucar -Services @("VirtualMachines") -Focus "DiskEncryption"
# Check VM backup configuration
Invoke-Azucar -Services @("VirtualMachines") -Focus "Backup"Audit della Sicurezza di Rete
Gruppi di Sicurezza di Rete
# Audit network security groups
Invoke-Azucar -Services @("Network") -Focus "SecurityGroups"
# Check for overly permissive rules
Invoke-Azucar -Services @("Network") -Focus "PermissiveRules"
# Audit inbound rules
Invoke-Azucar -Services @("Network") -Focus "InboundRules"
# Check for default rules
Invoke-Azucar -Services @("Network") -Focus "DefaultRules"Configurazione della Rete Virtuale
Would you like me to continue with the remaining sections?```powershell
Audit virtual networks
Invoke-Azucar -Services @(“Network”) -Focus “VirtualNetworks”
Check subnet configuration
Invoke-Azucar -Services @(“Network”) -Focus “Subnets”
Audit network peering
Invoke-Azucar -Services @(“Network”) -Focus “Peering”
Check DNS configuration
Invoke-Azucar -Services @(“Network”) -Focus “DNS”
## Compliance and Governance
### CIS Benchmark Assessment
```powershell
# Run CIS Azure benchmark
Invoke-Azucar -ComplianceFramework "CIS"
# Generate CIS compliance report
Invoke-Azucar -ComplianceFramework "CIS" -Format "HTML" -OutputPath "C:\CIS_Report\"
# Check specific CIS controls
Invoke-Azucar -ComplianceFramework "CIS" -Controls @("1.1", "1.2", "2.1")Azure Security Center Integration
# Audit Security Center configuration
Invoke-Azucar -Services @("SecurityCenter")
# Check security policies
Invoke-Azucar -Services @("SecurityCenter") -Focus "Policies"
# Audit security recommendations
Invoke-Azucar -Services @("SecurityCenter") -Focus "Recommendations"
# Check security alerts
Invoke-Azucar -Services @("SecurityCenter") -Focus "Alerts"Resource Governance
# Audit resource groups
Invoke-Azucar -Services @("ResourceManagement") -Focus "ResourceGroups"
# Check resource tags
Invoke-Azucar -Services @("ResourceManagement") -Focus "Tags"
# Audit resource locks
Invoke-Azucar -Services @("ResourceManagement") -Focus "Locks"
# Check resource policies
Invoke-Azucar -Services @("ResourceManagement") -Focus "Policies"Report Generation and Analysis
HTML Reports
# Generate HTML report
Invoke-Azucar -Format "HTML" -OutputPath "C:\AzureAudit\"
# Generate detailed HTML report
Invoke-Azucar -Format "HTML" -Detailed -OutputPath "C:\AzureAudit\"
# Generate executive summary
Invoke-Azucar -Format "HTML" -Summary -OutputPath "C:\AzureAudit\"JSON and CSV Export
# Export to JSON
Invoke-Azucar -Format "JSON" -OutputPath "C:\AzureAudit\"
# Export to CSV
Invoke-Azucar -Format "CSV" -OutputPath "C:\AzureAudit\"
# Export raw data
Invoke-Azucar -Format "Raw" -OutputPath "C:\AzureAudit\"Custom Report Templates
# Use custom report template
Invoke-Azucar -Template "custom-template.html" -OutputPath "C:\AzureAudit\"
# Generate report with custom branding
Invoke-Azucar -Template "branded-template.html" -CompanyName "Your Company" -OutputPath "C:\AzureAudit\"Advanced Configuration
Custom Configuration File
\\\\{
"AuditSettings": \\\\{
"IncludeServices": ["AzureAD", "Storage", "KeyVault", "SQL"],
"ExcludeChecks": ["LowPriority"],
"OutputFormat": "HTML",
"DetailLevel": "High"
\\\\},
"ComplianceFrameworks": \\\\{
"CIS": \\\\{
"Version": "1.3.0",
"IncludeControls": ["1.*", "2.*", "3.*"]
\\\\}
\\\\},
"ReportSettings": \\\\{
"IncludeRecommendations": true,
"IncludeEvidence": true,
"GroupByService": true
\\\\}
\\\\}PowerShell Configuration
# Set custom configuration
$config = @\\\\{
Services = @("AzureAD", "Storage", "KeyVault")
OutputFormat = "HTML"
DetailLevel = "High"
IncludeRecommendations = $true
\\\\}
Set-AzucarConfig -Configuration $config
# Run audit with custom configuration
Invoke-Azucar -UseCustomConfigFiltering and Exclusions
# Exclude specific resource groups
Invoke-Azucar -ExcludeResourceGroups @("test-rg", "dev-rg")
# Include only specific subscriptions
Invoke-Azucar -IncludeSubscriptions @("sub1-id", "sub2-id")
# Exclude low-priority findings
Invoke-Azucar -ExcludeSeverity @("Low", "Informational")
# Filter by resource tags
Invoke-Azucar -FilterByTags @\\\\{Environment="Production"; Owner="Security"\\\\}Automation and Scheduling
Automated Audit Script
# Automated Azure security audit script
param(
[string]$TenantId,
[string]$OutputPath = "C:\AzureAudit",
[string]$EmailRecipients = "security@company.com"
)
# Create output directory with timestamp
$timestamp = Get-Date -Format "yyyyMMdd_HHmmss"
$auditPath = Join-Path $OutputPath "Audit_$timestamp"
New-Item -ItemType Directory -Path $auditPath -Force
# Authenticate to Azure
Connect-AzAccount -TenantId $TenantId
# Run comprehensive audit
Write-Host "Starting Azure security audit..."
Invoke-Azucar -All -Format "HTML" -OutputPath $auditPath
# Generate summary report
$reportPath = Join-Path $auditPath "AzureSecurityAudit.html"
if (Test-Path $reportPath) \\\\{
Write-Host "Audit completed successfully"
# Send email notification
$subject = "Azure Security Audit Completed - $timestamp"
$body = "Azure security audit has been completed. Report available at: $reportPath"
Send-MailMessage -To $EmailRecipients -Subject $subject -Body $body -Attachments $reportPath
\\\\} else \\\\{
Write-Error "Audit failed - report not generated"
\\\\}Scheduled Task Creation
# Create scheduled task for regular audits
$action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\AzureAudit.ps1"
$trigger = New-ScheduledTaskTrigger -Weekly -DaysOfWeek Monday -At 6AM
$settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries
Register-ScheduledTask -TaskName "Azure Security Audit" -Action $action -Trigger $trigger -Settings $settingsContinuous Monitoring
# Continuous monitoring script
param(
[int]$IntervalHours = 24,
[string]$LogPath = "C:\AzureAudit\monitoring.log"
)
while ($true) \\\\{
$timestamp = Get-Date
Write-Output "[$timestamp] Starting Azure security monitoring"|Tee-Object -FilePath $LogPath -Append
try \\\\{
# Run quick security check
$findings = Invoke-Azucar -Quick -Format "JSON"
# Check for critical findings
$criticalFindings = $findings|Where-Object \\\\{$_.Severity -eq "Critical"\\\\}
if ($criticalFindings) \\\\{
Write-Output "[$timestamp] Critical findings detected: $($criticalFindings.Count)"|Tee-Object -FilePath $LogPath -Append
# Send alert
$alertSubject = "ALERT: Critical Azure Security Findings"
$alertBody = "Critical security findings detected in Azure environment. Immediate attention required."
Send-MailMessage -To "security@company.com" -Subject $alertSubject -Body $alertBody
\\\\}
\\\\}
catch \\\\{
Write-Output "[$timestamp] Error during monitoring: $($_.Exception.Message)"|Tee-Object -FilePath $LogPath -Append
\\\\}
Start-Sleep -Seconds ($IntervalHours * 3600)
\\\\}Troubleshooting
Authentication Issues
# Clear cached credentials
Clear-AzContext -Force
# Test authentication
$context = Get-AzContext
if (-not $context) \\\\{
Write-Error "Not authenticated to Azure"
Connect-AzAccount
\\\\}
# Verify permissions
$currentUser = Get-AzADUser -UserPrincipalName (Get-AzContext).Account.Id
Write-Output "Current user: $($currentUser.DisplayName)"Module Issues
# Check Azucar installation
Get-Module Azucar -ListAvailable
# Update Azucar
Update-Module Azucar -Force
# Reinstall if necessary
Uninstall-Module Azucar
Install-Module Azucar -Force
# Check dependencies
Get-Module Az -ListAvailable
Get-Module AzureAD -ListAvailablePermission Issues
# Check required permissions
$requiredPermissions = @(
"Directory.Read.All",
"User.Read.All",
"Application.Read.All",
"Policy.Read.All"
)
foreach ($permission in $requiredPermissions) \\\\{
try \\\\{
# Test permission by attempting to read data
Write-Output "Testing permission: $permission"
\\\\}
catch \\\\{
Write-Warning "Missing permission: $permission"
\\\\}
\\\\}Performance Issues
# Run audit with reduced scope
Invoke-Azucar -Services @("AzureAD") -Quick
# Use parallel processing
Invoke-Azucar -Parallel -MaxThreads 5
# Exclude large datasets
Invoke-Azucar -ExcludeServices @("Logs", "Metrics")Integration with Other Tools
SIEM Integration
# Export findings to SIEM format
$findings = Invoke-Azucar -Format "JSON"
$siemEvents = $findings|ForEach-Object \\\\{
@\\\\{
timestamp = Get-Date -Format "yyyy-MM-ddTHH:mm:ssZ"
source = "Azucar"
severity = $_.Severity
finding = $_.Description
resource = $_.ResourceId
\\\\}
\\\\}
# Send to SIEM
$siemEvents|ConvertTo-Json|Out-File "siem_events.json"PowerBI Integration
# Export data for PowerBI
$auditData = Invoke-Azucar -Format "CSV"
# Create PowerBI dataset
$powerBIData = @\\\\{
findings = $auditData.Findings
resources = $auditData.Resources
compliance = $auditData.Compliance
\\\\}
$powerBIData|ConvertTo-Json|Out-File "powerbi_data.json"Azure DevOps Integration
# Azure DevOps pipeline for security auditing
trigger:
schedules:
- cron: "0 6 * * 1"
displayName: Weekly security audit
branches:
include:
- main
pool:
vmImage: 'windows-latest'
steps:
- task: AzurePowerShell@5
inputs:
azureSubscription: 'Azure-Subscription'
ScriptType: 'InlineScript'
Inline:|
Install-Module -Name Azucar -Force
Import-Module Azucar
Invoke-Azucar -All -Format "HTML" -OutputPath "$(Build.ArtifactStagingDirectory)"
azurePowerShellVersion: 'LatestVersion'
- task: PublishBuildArtifacts@1
inputs:
PathtoPublish: '$(Build.ArtifactStagingDirectory)'
ArtifactName: 'AzureSecurityAudit'Resources
- [Azucar GitHub Repository](https://github.com/nccgroup/azucar*Questa guida rapida fornisce un riferimento completo per l’utilizzo di Azucar. Assicurati sempre di avere l’autorizzazione appropriata prima di eseguire valutazioni di sicurezza di Azure.*
Note: I translated the text while preserving the markdown formatting, keeping technical terms like “Azucar” and “Azure” in their original form, and maintaining the same structure and punctuation.
Would you like me to translate the other texts as well? If so, could you provide the full text for each numbered item?https://www.nccgroup.com/us/research-and-innovation/research-blog/)
This cheat sheet provides a comprehensive reference for using Azucar. Always ensure you have proper authorization before conducting Azure security assessments.