Profile Applicability:
- Level 1
Description:
This check ensures that only approved extensions are installed on Azure Virtual Machines (VMs) or other Azure resources. Extensions are used to automate tasks, install software, or configure settings on VMs. Ensuring that only approved extensions are installed helps to reduce the attack surface, prevent unauthorized changes, and maintain compliance with security policies.
Rationale:
Allowing unapproved or unauthorized extensions to be installed on VMs can lead to security vulnerabilities, unauthorized access, and non-compliance with internal policies. By controlling which extensions are installed, you can ensure that only trusted and validated software is running on your VMs, thereby minimizing the risk of exploitation or misconfiguration.
Impact:
Pros:
Reduces the risk of introducing unapproved or malicious extensions that could compromise security.
Helps ensure compliance with organizational security policies.
Enhances operational control by ensuring only validated extensions are installed.
Cons:
Requires additional management and monitoring to ensure only approved extensions are installed.
Could lead to operational complexity if there is a need to frequently review and update the list of approved extensions.
Default Value:
By default, Azure does not restrict the installation of extensions. Extensions can be installed via the Azure portal, Azure CLI, or through automation tools.
Pre-requisites:
Ensure that a list of approved extensions is established and that processes are in place to verify and authorize extensions before installation. Access to the Azure portal or CLI is required to manage extensions.
Test Plan:
Using Azure Console:
Log in to the Azure portal at https://portal.azure.com.
Go to the Virtual Machines blade.
Select a virtual machine to review.
Under the Settings section, click on Extensions.
Review the list of installed extensions and verify that only approved extensions are present.
If an unauthorized extension is found, it should be removed or flagged for review.
Using Azure CLI:
To check the installed extensions on a virtual machine, run the following command:
az vm extension list --resource-group <RESOURCE_GROUP_NAME> --vm-name <VM_NAME> --query "[].name"
Ensure that the list of extensions returned includes only the approved extensions. Cross-reference the list with your internal approved extensions list.
Implementation Plan:
Using Azure Console:
Log in to the Azure portal at https://portal.azure.com.
Go to Virtual Machines and select the VM for which you want to configure extensions.
Under the Settings section, click on Extensions.
Review the installed extensions and remove any that are not approved by your organization.
To install an approved extension, click Add and select the approved extension from the list.
Follow the prompts to complete the installation and ensure it is properly configured.
Using Azure CLI:
To list the installed extensions on a virtual machine, use the following command:
az vm extension list --resource-group <RESOURCE_GROUP_NAME> --vm-name <VM_NAME>
To remove an unapproved extension, run the following command:
az vm extension remove --resource-group <RESOURCE_GROUP_NAME> --vm-name <VM_NAME> --name <EXTENSION_NAME>
To install an approved extension, run:
az vm extension set --resource-group <RESOURCE_GROUP_NAME> --vm-name <VM_NAME> --name <APPROVED_EXTENSION_NAME> --publisher <PUBLISHER> --version <VERSION>
Backout Plan:
Using Azure Console:
Log in to the Azure portal at https://portal.azure.com.
Go to Virtual Machines and select the VM for which you want to manage extensions.
Under the Settings section, click on Extensions.
If you need to revert to a previous configuration, uninstall any unauthorized extensions and reinstall the approved ones.
Remove any unauthorized extensions and ensure that only the necessary approved extensions remain.
Using Azure CLI:
To remove an unauthorized extension, run the following command:
az vm extension remove --resource-group <RESOURCE_GROUP_NAME> --vm-name <VM_NAME> --name <EXTENSION_NAME>
To reinstall an approved extension, use:
az vm extension set --resource-group <RESOURCE_GROUP_NAME> --vm-name <VM_NAME> --name <APPROVED_EXTENSION_NAME> --publisher <PUBLISHER> --version <VERSION>