Azure Search Service Managed Identity Not Enabled
ID: azure-search-service-managed-identity-disabled
Severity: medium
Author: princechaddha
Tags: cloud,devops,azure,microsoft,azure-search,azure-cloud-config
Description
Section titled “Description”Ensure that your Microsoft Azure Search Service instances have system-assigned managed identities enabled in order to allow secure application access to other Azure resources such as storage accounts and key vaults.
YAML Source
Section titled “YAML Source”id: azure-search-service-managed-identity-disabledinfo: name: Azure Search Service Managed Identity Not Enabled author: princechaddha severity: medium description: | Ensure that your Microsoft Azure Search Service instances have system-assigned managed identities enabled in order to allow secure application access to other Azure resources such as storage accounts and key vaults. impact: | Not enabling system-assigned managed identities on Azure Search Service instances can lead to insecure access patterns and potential misconfigurations when accessing other Azure resources. remediation: | Enable system-assigned managed identities on your Azure Search Service instances to secure access to Azure resources. reference: - https://docs.microsoft.com/en-us/azure/search/search-managed-identities tags: cloud,devops,azure,microsoft,azure-search,azure-cloud-config
flow: | code(1); for (let ResourceGroupName of iterate(template.resourceGroupNames)) { set("resourceGroup", ResourceGroupName); code(2); for (let SearchServiceName of iterate(template.searchServiceNames)) { set("name", SearchServiceName); code(3); } }
self-contained: truecode: - engine: - sh - bash source: | az group list --query "[].name"
extractors: - type: json name: resourceGroupNames internal: true json: - '.[]'
- engine: - sh - bash source: | az search service list --resource-group "$resourceGroup" --query '[].{Name:name}'
extractors: - type: json name: searchServiceNames internal: true json: - '.[]'
- engine: - sh - bash source: | az search service show --name "$name" --resource-group "$resourceGroup" --query '{"ManagedIdentity": identity}'
matchers-condition: and matchers: - type: word words: - '"ManagedIdentity": null'
extractors: - type: dsl dsl: - 'name + " in " + resourceGroup + " does not have managed identity enabled"'# digest: 490a0046304402201360a84898fed0248b9f87d32f7e55a7370e17a2a768a39ecc8f00681cb0cdfa02201a3ae06fa109ac00c8dd71e3158ddf8d616870f5b315d1d98fc9ea05cd2cdf34:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "cloud/azure/search/azure-search-service-managed-identity-disabled.yaml"