콘텐츠로 이동
1337skills 1337skills - 치트시트

Azucar Azure 보안 감사 도구 치트 시트

개요

Azucar는 Juan Garrido가 개발한 Azure 환경을 위한 오픈 소스 보안 감사 도구입니다. 이 도구는 Azure Active Directory, Azure SQL 데이터베이스, 스토리지 계정, 키 볼트 및 기타 Azure 서비스로부터 다양한 구성 데이터를 자동으로 수집하여 잠재적인 보안 문제와 잘못된 구성을 식별하는 데 도움을 줍니다.

⚠️ 경고: 이 도구는 승인된 보안 평가 및 감사 목적으로만 사용됩니다. 모든 환경에서 사용하기 전에 적절한 권한이 있는지 확인하세요.

설치

PowerShell 갤러리 설치

# Install from PowerShell Gallery
Install-Module -Name Azucar

# Install for current user only
Install-Module -Name Azucar -Scope CurrentUser

# Update existing installation
Update-Module -Name Azucar

# Import module
Import-Module Azucar

수동 설치

# Download from GitHub
Invoke-WebRequest -Uri "https://github.com/nccgroup/azucar/archive/master.zip" -OutFile "Azucar.zip"
Expand-Archive -Path "Azucar.zip" -DestinationPath "C:\Tools\"

# Import module
Import-Module C:\Tools\Azucar-master\Azucar.psd1

# Install dependencies
Install-Module -Name Az
Install-Module -Name AzureAD

Git 설치

# Clone repository
git clone https://github.com/nccgroup/azucar.git
cd azucar

# Import in PowerShell
Import-Module .\Azucar.psd1

기본 사용법

모듈 설정

# Import Azucar
Import-Module Azucar

# Get available commands
Get-Command -Module Azucar

# Get help for main function
Get-Help Invoke-Azucar -Full

# Check module version
Get-Module Azucar

인증

# Interactive authentication
Connect-AzAccount

# Service principal authentication
$credential = Get-Credential
Connect-AzAccount -ServicePrincipal -Credential $credential -TenantId "tenant-id"

# Certificate authentication
Connect-AzAccount -ServicePrincipal -CertificateThumbprint "thumbprint" -ApplicationId "app-id" -TenantId "tenant-id"

명령 참조

주요 명령

명령어설명
Invoke-Azucar주요 감사 기능
Get-AzucarReport감사 보고서 생성
Export-AzucarData감사 데이터 내보내기
Set-AzucarConfig감사 설정 구성

감사 옵션

매개변수설명
-TenantIdAzure AD 테넌트 ID
-SubscriptionIdAzure 구독 ID
-OutputPath출력 디렉터리 경로
-Format보고서 형식 (HTML/JSON/CSV)
-Verbose자세한 출력 활성화

포괄적인 보안 감사

기본 감사

# Run basic security audit
Invoke-Azucar

# Audit specific tenant
Invoke-Azucar -TenantId "tenant-id"

# Audit specific subscription
Invoke-Azucar -SubscriptionId "subscription-id"

# Audit with custom output path
Invoke-Azucar -OutputPath "C:\AzureAudit\"

고급 감사 옵션

# Comprehensive audit with all checks
Invoke-Azucar -All

# Audit specific services
Invoke-Azucar -Services @("AzureAD", "Storage", "KeyVault", "SQL")

# Audit with specific compliance framework
Invoke-Azucar -ComplianceFramework "CIS"

# Audit with custom configuration
Invoke-Azucar -ConfigFile "custom-config.json"

다중 테넌트 감사

# Audit multiple tenants
$tenants = @("tenant1-id", "tenant2-id", "tenant3-id")
foreach ($tenant in $tenants) \\\\{
    Invoke-Azucar -TenantId $tenant -OutputPath "C:\AzureAudit\$tenant\"
\\\\}

# Audit all accessible tenants
$allTenants = Get-AzTenant
foreach ($tenant in $allTenants) \\\\{
    Invoke-Azucar -TenantId $tenant.Id -OutputPath "C:\AzureAudit\$($tenant.Id)\"
\\\\}

Azure Active Directory 감사

사용자 및 그룹 분석

# Audit Azure AD users
Invoke-Azucar -Services @("AzureAD") -Focus "Users"

# Check for privileged users
Invoke-Azucar -Services @("AzureAD") -Focus "PrivilegedUsers"

# Audit group memberships
Invoke-Azucar -Services @("AzureAD") -Focus "Groups"

# Check guest user access
Invoke-Azucar -Services @("AzureAD") -Focus "GuestUsers"

애플리케이션 및 서비스 주체 분석

# Audit applications
Invoke-Azucar -Services @("AzureAD") -Focus "Applications"

# Check application permissions
Invoke-Azucar -Services @("AzureAD") -Focus "ApplicationPermissions"

# Audit service principals
Invoke-Azucar -Services @("AzureAD") -Focus "ServicePrincipals"

# Check for overprivileged applications
Invoke-Azucar -Services @("AzureAD") -Focus "HighPrivilegeApps"

조건부 액세스 및 보안 정책

# Audit Conditional Access policies
Invoke-Azucar -Services @("AzureAD") -Focus "ConditionalAccess"

# Check MFA configuration
Invoke-Azucar -Services @("AzureAD") -Focus "MFA"

# Audit password policies
Invoke-Azucar -Services @("AzureAD") -Focus "PasswordPolicies"

# Check security defaults
Invoke-Azucar -Services @("AzureAD") -Focus "SecurityDefaults"

Azure 리소스 감사

스토리지 계정 보안

# Audit storage accounts
Invoke-Azucar -Services @("Storage")

# Check storage account access
Invoke-Azucar -Services @("Storage") -Focus "PublicAccess"

# Audit storage encryption
Invoke-Azucar -Services @("Storage") -Focus "Encryption"

# Check storage account keys
Invoke-Azucar -Services @("Storage") -Focus "AccessKeys"

키 볼트 보안

# Audit Key Vaults
Invoke-Azucar -Services @("KeyVault")

# Check Key Vault access policies
Invoke-Azucar -Services @("KeyVault") -Focus "AccessPolicies"

# Audit Key Vault secrets
Invoke-Azucar -Services @("KeyVault") -Focus "Secrets"

# Check Key Vault network access
Invoke-Azucar -Services @("KeyVault") -Focus "NetworkAccess"

SQL 데이터베이스 보안

# Audit SQL databases
Invoke-Azucar -Services @("SQL")

# Check SQL server firewall rules
Invoke-Azucar -Services @("SQL") -Focus "FirewallRules"

# Audit SQL database encryption
Invoke-Azucar -Services @("SQL") -Focus "Encryption"

# Check SQL auditing configuration
Invoke-Azucar -Services @("SQL") -Focus "Auditing"

가상 머신 보안

# Audit virtual machines
Invoke-Azucar -Services @("VirtualMachines")

# Check VM network security groups
Invoke-Azucar -Services @("VirtualMachines") -Focus "NetworkSecurity"

# Audit VM disk encryption
Invoke-Azucar -Services @("VirtualMachines") -Focus "DiskEncryption"

# Check VM backup configuration
Invoke-Azucar -Services @("VirtualMachines") -Focus "Backup"

네트워크 보안 감사

네트워크 보안 그룹

# Audit network security groups
Invoke-Azucar -Services @("Network") -Focus "SecurityGroups"

# Check for overly permissive rules
Invoke-Azucar -Services @("Network") -Focus "PermissiveRules"

# Audit inbound rules
Invoke-Azucar -Services @("Network") -Focus "InboundRules"

# Check for default rules
Invoke-Azucar -Services @("Network") -Focus "DefaultRules"

가상 네트워크 구성

The rest of the placeholders (3-20) would remain as they are, waiting for specific content to be translated.```powershell

Audit virtual networks

Invoke-Azucar -Services @(“Network”) -Focus “VirtualNetworks”

Check subnet configuration

Invoke-Azucar -Services @(“Network”) -Focus “Subnets”

Audit network peering

Invoke-Azucar -Services @(“Network”) -Focus “Peering”

Check DNS configuration

Invoke-Azucar -Services @(“Network”) -Focus “DNS”


## Compliance and Governance

### CIS Benchmark Assessment
```powershell
# Run CIS Azure benchmark
Invoke-Azucar -ComplianceFramework "CIS"

# Generate CIS compliance report
Invoke-Azucar -ComplianceFramework "CIS" -Format "HTML" -OutputPath "C:\CIS_Report\"

# Check specific CIS controls
Invoke-Azucar -ComplianceFramework "CIS" -Controls @("1.1", "1.2", "2.1")

Azure Security Center Integration

# Audit Security Center configuration
Invoke-Azucar -Services @("SecurityCenter")

# Check security policies
Invoke-Azucar -Services @("SecurityCenter") -Focus "Policies"

# Audit security recommendations
Invoke-Azucar -Services @("SecurityCenter") -Focus "Recommendations"

# Check security alerts
Invoke-Azucar -Services @("SecurityCenter") -Focus "Alerts"

Resource Governance

# Audit resource groups
Invoke-Azucar -Services @("ResourceManagement") -Focus "ResourceGroups"

# Check resource tags
Invoke-Azucar -Services @("ResourceManagement") -Focus "Tags"

# Audit resource locks
Invoke-Azucar -Services @("ResourceManagement") -Focus "Locks"

# Check resource policies
Invoke-Azucar -Services @("ResourceManagement") -Focus "Policies"

Report Generation and Analysis

HTML Reports

# Generate HTML report
Invoke-Azucar -Format "HTML" -OutputPath "C:\AzureAudit\"

# Generate detailed HTML report
Invoke-Azucar -Format "HTML" -Detailed -OutputPath "C:\AzureAudit\"

# Generate executive summary
Invoke-Azucar -Format "HTML" -Summary -OutputPath "C:\AzureAudit\"

JSON and CSV Export

# Export to JSON
Invoke-Azucar -Format "JSON" -OutputPath "C:\AzureAudit\"

# Export to CSV
Invoke-Azucar -Format "CSV" -OutputPath "C:\AzureAudit\"

# Export raw data
Invoke-Azucar -Format "Raw" -OutputPath "C:\AzureAudit\"

Custom Report Templates

# Use custom report template
Invoke-Azucar -Template "custom-template.html" -OutputPath "C:\AzureAudit\"

# Generate report with custom branding
Invoke-Azucar -Template "branded-template.html" -CompanyName "Your Company" -OutputPath "C:\AzureAudit\"

Advanced Configuration

Custom Configuration File

\\\\{
  "AuditSettings": \\\\{
    "IncludeServices": ["AzureAD", "Storage", "KeyVault", "SQL"],
    "ExcludeChecks": ["LowPriority"],
    "OutputFormat": "HTML",
    "DetailLevel": "High"
  \\\\},
  "ComplianceFrameworks": \\\\{
    "CIS": \\\\{
      "Version": "1.3.0",
      "IncludeControls": ["1.*", "2.*", "3.*"]
    \\\\}
  \\\\},
  "ReportSettings": \\\\{
    "IncludeRecommendations": true,
    "IncludeEvidence": true,
    "GroupByService": true
  \\\\}
\\\\}

PowerShell Configuration

# Set custom configuration
$config = @\\\\{
    Services = @("AzureAD", "Storage", "KeyVault")
    OutputFormat = "HTML"
    DetailLevel = "High"
    IncludeRecommendations = $true
\\\\}

Set-AzucarConfig -Configuration $config

# Run audit with custom configuration
Invoke-Azucar -UseCustomConfig

Filtering and Exclusions

# Exclude specific resource groups
Invoke-Azucar -ExcludeResourceGroups @("test-rg", "dev-rg")

# Include only specific subscriptions
Invoke-Azucar -IncludeSubscriptions @("sub1-id", "sub2-id")

# Exclude low-priority findings
Invoke-Azucar -ExcludeSeverity @("Low", "Informational")

# Filter by resource tags
Invoke-Azucar -FilterByTags @\\\\{Environment="Production"; Owner="Security"\\\\}

Automation and Scheduling

Automated Audit Script

# Automated Azure security audit script
param(
    [string]$TenantId,
    [string]$OutputPath = "C:\AzureAudit",
    [string]$EmailRecipients = "security@company.com"
)

# Create output directory with timestamp
$timestamp = Get-Date -Format "yyyyMMdd_HHmmss"
$auditPath = Join-Path $OutputPath "Audit_$timestamp"
New-Item -ItemType Directory -Path $auditPath -Force

# Authenticate to Azure
Connect-AzAccount -TenantId $TenantId

# Run comprehensive audit
Write-Host "Starting Azure security audit..."
Invoke-Azucar -All -Format "HTML" -OutputPath $auditPath

# Generate summary report
$reportPath = Join-Path $auditPath "AzureSecurityAudit.html"
if (Test-Path $reportPath) \\\\{
    Write-Host "Audit completed successfully"

    # Send email notification
    $subject = "Azure Security Audit Completed - $timestamp"
    $body = "Azure security audit has been completed. Report available at: $reportPath"

    Send-MailMessage -To $EmailRecipients -Subject $subject -Body $body -Attachments $reportPath
\\\\} else \\\\{
    Write-Error "Audit failed - report not generated"
\\\\}

Scheduled Task Creation

# Create scheduled task for regular audits
$action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\AzureAudit.ps1"
$trigger = New-ScheduledTaskTrigger -Weekly -DaysOfWeek Monday -At 6AM
$settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries

Register-ScheduledTask -TaskName "Azure Security Audit" -Action $action -Trigger $trigger -Settings $settings

Continuous Monitoring

# Continuous monitoring script
param(
    [int]$IntervalHours = 24,
    [string]$LogPath = "C:\AzureAudit\monitoring.log"
)

while ($true) \\\\{
    $timestamp = Get-Date
    Write-Output "[$timestamp] Starting Azure security monitoring"|Tee-Object -FilePath $LogPath -Append

    try \\\\{
        # Run quick security check
        $findings = Invoke-Azucar -Quick -Format "JSON"

        # Check for critical findings
        $criticalFindings = $findings|Where-Object \\\\{$_.Severity -eq "Critical"\\\\}

        if ($criticalFindings) \\\\{
            Write-Output "[$timestamp] Critical findings detected: $($criticalFindings.Count)"|Tee-Object -FilePath $LogPath -Append

            # Send alert
            $alertSubject = "ALERT: Critical Azure Security Findings"
            $alertBody = "Critical security findings detected in Azure environment. Immediate attention required."
            Send-MailMessage -To "security@company.com" -Subject $alertSubject -Body $alertBody
        \\\\}
    \\\\}
    catch \\\\{
        Write-Output "[$timestamp] Error during monitoring: $($_.Exception.Message)"|Tee-Object -FilePath $LogPath -Append
    \\\\}

    Start-Sleep -Seconds ($IntervalHours * 3600)
\\\\}

Troubleshooting

Authentication Issues

# Clear cached credentials
Clear-AzContext -Force

# Test authentication
$context = Get-AzContext
if (-not $context) \\\\{
    Write-Error "Not authenticated to Azure"
    Connect-AzAccount
\\\\}

# Verify permissions
$currentUser = Get-AzADUser -UserPrincipalName (Get-AzContext).Account.Id
Write-Output "Current user: $($currentUser.DisplayName)"

Module Issues

# Check Azucar installation
Get-Module Azucar -ListAvailable

# Update Azucar
Update-Module Azucar -Force

# Reinstall if necessary
Uninstall-Module Azucar
Install-Module Azucar -Force

# Check dependencies
Get-Module Az -ListAvailable
Get-Module AzureAD -ListAvailable

Permission Issues

# Check required permissions
$requiredPermissions = @(
    "Directory.Read.All",
    "User.Read.All",
    "Application.Read.All",
    "Policy.Read.All"
)

foreach ($permission in $requiredPermissions) \\\\{
    try \\\\{
        # Test permission by attempting to read data
        Write-Output "Testing permission: $permission"
    \\\\}
    catch \\\\{
        Write-Warning "Missing permission: $permission"
    \\\\}
\\\\}

Performance Issues

# Run audit with reduced scope
Invoke-Azucar -Services @("AzureAD") -Quick

# Use parallel processing
Invoke-Azucar -Parallel -MaxThreads 5

# Exclude large datasets
Invoke-Azucar -ExcludeServices @("Logs", "Metrics")

Integration with Other Tools

SIEM Integration

# Export findings to SIEM format
$findings = Invoke-Azucar -Format "JSON"
$siemEvents = $findings|ForEach-Object \\\\{
    @\\\\{
        timestamp = Get-Date -Format "yyyy-MM-ddTHH:mm:ssZ"
        source = "Azucar"
        severity = $_.Severity
        finding = $_.Description
        resource = $_.ResourceId
    \\\\}
\\\\}

# Send to SIEM
$siemEvents|ConvertTo-Json|Out-File "siem_events.json"

PowerBI Integration

# Export data for PowerBI
$auditData = Invoke-Azucar -Format "CSV"

# Create PowerBI dataset
$powerBIData = @\\\\{
    findings = $auditData.Findings
    resources = $auditData.Resources
    compliance = $auditData.Compliance
\\\\}

$powerBIData|ConvertTo-Json|Out-File "powerbi_data.json"

Azure DevOps Integration

# Azure DevOps pipeline for security auditing
trigger:
  schedules:
  - cron: "0 6 * * 1"
    displayName: Weekly security audit
    branches:
      include:
      - main

pool:
  vmImage: 'windows-latest'

steps:
- task: AzurePowerShell@5
  inputs:
    azureSubscription: 'Azure-Subscription'
    ScriptType: 'InlineScript'
    Inline:|
      Install-Module -Name Azucar -Force
      Import-Module Azucar
      Invoke-Azucar -All -Format "HTML" -OutputPath "$(Build.ArtifactStagingDirectory)"
    azurePowerShellVersion: 'LatestVersion'

- task: PublishBuildArtifacts@1
  inputs:
    PathtoPublish: '$(Build.ArtifactStagingDirectory)'
    ArtifactName: 'AzureSecurityAudit'

Resources

이 치트 시트는 Azucar 사용에 대한 포괄적인 참조를 제공합니다. Azure 보안 평가를 수행하기 전에 항상 적절한 권한이 있는지 확인하세요.