Azure OpenAI Service Instance Managed Identity Not Used
ID: azure-openai-managed-identity-not-used
Severity: medium
Author: princechaddha
Tags: cloud,devops,azure,microsoft,openai,azure-cloud-config
Description
Section titled “Description”Ensure that your Azure OpenAI service instances are using system-assigned and/or user-assigned managed identities to allow secure access to other cloud protected resources such as Azure key vaults. Managed identities minimizes risks, simplifies management, and maintains compliance with evolving cloud services.
YAML Source
Section titled “YAML Source”id: azure-openai-managed-identity-not-usedinfo: name: Azure OpenAI Service Instance Managed Identity Not Used author: princechaddha severity: medium description: | Ensure that your Azure OpenAI service instances are using system-assigned and/or user-assigned managed identities to allow secure access to other cloud protected resources such as Azure key vaults. Managed identities minimizes risks, simplifies management, and maintains compliance with evolving cloud services. impact: | Not using managed identities can increase risks related to security and management, and hinder compliance with security best practices. remediation: | Configure your Azure OpenAI service instances to use either system-assigned or user-assigned managed identities to enhance security and simplify resource access management. reference: - https://docs.microsoft.com/en-us/azure/cognitive-services/authentication tags: cloud,devops,azure,microsoft,openai,azure-cloud-config
flow: | code(1); for (let ServiceInstance of iterate(template.instanceList)) { ServiceInstance = JSON.parse(ServiceInstance); set("name", ServiceInstance.Name); set("resourceGroup", ServiceInstance.ResourceGroup); code(2); }
self-contained: truecode: - engine: - sh - bash source: | az cognitiveservices account list --output json --query '[?(kind==`OpenAI`)].{"Name":name,"ResourceGroup":resourceGroup}'
extractors: - type: json name: instanceList internal: true json: - '.[]'
- engine: - sh - bash source: | az cognitiveservices account identity show --name "$name" --resource-group "$resourceGroup" --query '{"IdentityType":type}'
matchers-condition: and matchers: - type: word words: - '"IdentityType": null' - '"IdentityType": "None"'
extractors: - type: dsl dsl: - 'name + " in " + resourceGroup + " does not use a managed identity"'# digest: 490a0046304402201d2dd4c0da912a83c8dfb6e3c6fd56414e4da3a8b0118396060fccb00c7800620220759f09afa595c913f3fa7017cf66a84b68a639f7ffb1e9a6a4fb24499c91a983:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "cloud/azure/aiservices/azure-openai-managed-identity-not-used.yaml"