IM-1 |
Identity Management |
16.1 - Maintain an Inventory of |
6.7 - Centralize Access Control |
AC-2: ACCOUNT MANAGEMENT |
7.2 |
Use centralized identity and authentication system |
Use a centralized identity and authentication system to govern your organization's identities and authentications for cloud and non-cloud resources. |
Azure Active Directory (Azure AD) is Azure's identity and authentication management service. You should standardize on Azure AD to govern your organization's identity and authentication in: |
Tenancy in Azure AD: |
AWS IAM (Identity and Access Management) is AWS' default identity and authentication management service. Use AWS IAM to govern your AWS identity and access management. Alternatively, through AWS and Azure Sigle Sign-On (SSO), you can also use Azure AD to manage the identity and access control of AWS to avoid managing duplicate accounts separately in two cloud platforms. |
AWS IAM: |
Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys |
|
|
Authentication Systems |
12.5 - Centralize Network Authentication, Authorization, and Auditing (AAA) |
AC-3: ACCESS ENFORCEMENT |
8.3 |
|
|
- Microsoft cloud resources, such as Azure Storage, Azure Virtual Machines (Linux and Windows), Azure Key Vault, PaaS, and SaaS applications. |
https://docs.microsoft.com/azure/active-directory/develop/single-and-multi-tenant-apps |
|
https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html |
|
|
|
16.2 - Configure Centralized |
|
IA-2: IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) |
|
|
|
- Your organization's resources, such as applications on Azure, third-party applications running on your corporate network resources, and third-party SaaS applications. |
|
AWS supports Single Sign-On which allows you to bridge your corporate's third party identities (such as Windows Active Directory, or other identity stores) with the AWS identities to avoid creating duplicate accounts to access AWS resources. |
|
Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture |
|
|
Point of Authentication |
|
IA-8: IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) |
|
|
|
- Your enterprise identities in Active Directory by synchronization to Azure AD to ensure a consistent and centrally managed identity strategy. |
How to create and configure an Azure AD instance: |
|
AWS Single Sign-On: |
|
|
|
|
|
|
|
|
|
|
https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-access-create-new-tenant |
|
https://docs.aws.amazon.com/singlesignon/index.html |
Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops |
|
|
|
|
|
|
|
|
For the Azure services that apply, avoid use of local authentication methods and instead use Azure Active Directory to centralize your service authentications. |
|
|
|
|
|
|
|
|
|
|
|
|
|
Define Azure AD tenants: |
|
|
Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management |
|
|
|
|
|
|
|
|
Note: As soon as it is technically feasible, you should migrate on-premises Active Directory-based applications to Azure AD. This could be an Azure AD Enterprise Directory, Business to Business configuration, or Business to consumer configuration. |
https://azure.microsoft.com/resources/securing-azure-environments-with-azure-active-directory/ |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Use external identity providers for an application: |
|
|
|
|
|
|
|
|
|
|
|
|
https://docs.microsoft.com/azure/active-directory/b2b/identity-providers |
|
|
|
IM-2 |
Identity Management |
4.3 - Ensure the Use of Dedicated Administrative Accounts |
5.4 - Restrict Administrator Privileges to Dedicated Administrator Accounts |
AC-2: ACCOUNT MANAGEMENT |
8.2 |
Protect identity and authentication systems |
Secure your identity and authentication system as a high priority in your organization's cloud security practice. Common security controls include: |
Use the Azure AD security baseline and the Azure AD Identity Secure Score to evaluate your Azure AD identity security posture, and remediate security and configuration gaps. |
What is the identity secure score in Azure AD: https://docs.microsoft.com/azure/active-directory/fundamentals/identity-secure-score |
Use the following security best practices to secure your AWS IAM: |
Security Best Practice in IAM: |
Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys |
|
|
4.5 - Use Multi-Factor Authentication for All Administrative Access |
6.5 - Require MFA for Administrative Access |
AC-3: ACCESS ENFORCEMENT |
8.3 |
|
- Restrict privileged roles and accounts |
The Azure AD Identity Secure Score evaluates Azure AD for the following configurations: |
|
- Set up AWS account root user access keys for emergency access as described in PA-5 (Set up emergency access) |
https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html |
|
|
|
|
|
IA-2: IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) |
|
|
- Require strong authentication for all privileged access |
- Use limited administrative roles |
Best Practices for Securing Active Directory: |
- Follow least privilege principles for access assignments |
|
Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture |
|
|
|
|
IA-8: IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) |
|
|
- Monitor and audit high risk activities |
- Turn on user risk policy |
https://docs.microsoft.com/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory |
- Leverage IAM groups to apply policies instead of individual user(s). |
IAM Access Advisor: |
|
|
|
|
|
SI-4: INFORMATION SYSTEM MONITORING |
|
|
|
- Designate more than one global admin |
|
- Follow strong authentication guidance in IM-6 (Use strong authentication controls) for all users |
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html |
Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops |
|
|
|
|
|
|
|
|
- Enable policy to block legacy authentication |
What is Identity Protection? |
- Use AWS Organizations SCP (Service Control Policy) and permission boundaries |
|
|
|
|
|
|
|
|
|
|
- Ensure all users can complete multi-factor authentication for secure access |
https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection |
- Use IAM Access Advisor to audit service access |
IAM Credential Report: |
Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management |
|
|
|
|
|
|
|
|
- Require MFA for administrative roles |
|
- Use IAM credential report to track user accounts and credential status |
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html |
|
|
|
|
|
|
|
|
|
- Enable self-service password reset |
What is Microsoft Defender for Identity? |
|
|
|
|
|
|
|
|
|
|
|
- Do not expire passwords |
https://learn.microsoft.com/en-us/defender-for-identity/what-is |
Note: Follow published best practices if you have other identity and authentication systems, e.g., follow the Azure AD security baseline if you use Azure AD to manage AWS identity and access. |
|
|
|
|
|
|
|
|
|
|
- Turn on sign-in risk policy |
|
|
|
|
|
|
|
|
|
|
|
|
- Do not allow users to grant consent to unmanaged applications |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Use Azure AD Identity Protection to detect, investigate, and remediate identity-based risks. To similarly protect your on-premises Active Directory domain, use Defender for Identity. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Note: Follow published best practices for all other identity components, including your on-premises Active Directory and any third party capabilities, and the infrastructure (such as operating systems, networks, databases) that host them. |
|
|
|
|
IM-3 |
Identity Management |
nan |
nan |
AC-2: ACCOUNT MANAGEMENT |
N/A |
Manage application identities securely and automatically |
Use managed application identities instead of creating human accounts for applications to access resources and execute code. Managed application identities provide benefits such as reducing the exposure of credentials. Automate the rotation of credentials to ensure the security of the identities. |
Use Azure managed identities, which can authenticate to Azure services and resources that support Azure AD authentication. Managed identity credentials are fully managed, rotated, and protected by the platform, avoiding hard-coded credentials in source code or configuration files. |
Azure managed identities: |
Use AWS IAM roles instead of creating user accounts for resources that support this feature. IAM roles are managed by the platform at the backend and the credentials are temporary and rotated automatically. This avoids creating long-term access keys or a username/password for applications and hard-coded credentials in source code or configuration files. |
AWS IAM Roles: |
Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys |
|
|
|
|
AC-3: ACCESS ENFORCEMENT |
|
|
|
|
https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview |
|
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html |
|
|
|
|
|
IA-4: IDENTIFIER MANAGEMENT |
|
|
|
For services that don't support managed identities, use Azure AD to create a service principal with restricted permissions at the resource level. It is recommended to configure service principals with certificate credentials and fall back to client secrets for authentication. |
|
You may use service-linked roles which are attached with pre-defined permission policies for access between AWS services instead of customizing your own role permissions for the IAM roles. |
|
Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops |
|
|
|
|
IA-5: AUTHENTICATOR MANAGEMENT |
|
|
|
|
Services that support managed identities for Azure resources: |
|
Providing access to an AWS service: |
|
|
|
|
|
IA-9: SERVICE IDENTIFICATION AND AUTHENTICATION |
|
|
|
|
https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/services-support-managed-identities |
Note: For services that don't support IAM roles, use access keys but follow the security best practice such as IM-8: Restrict the exposure of credential and secrets to secure your keys. |
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure service principal: |
|
|
|
|
|
|
|
|
|
|
|
|
https://docs.microsoft.com/powershell/azure/create-azure-service-principal-azureps |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Create a service principal with certificates: |
|
|
|
|
|
|
|
|
|
|
|
|
https://docs.microsoft.com/azure/active-directory/develop/howto-authenticate-service-principal-powershell |
|
|
|
IM-4 |
Identity Management |
nan |
nan |
IA-9: SERVICE IDENTITIFICATION AND AUTHENTICATION |
nan |
Authenticate server and services |
Authenticate remote servers and services from your client side to ensure you are connecting to trusted server and services. The most common server authentication protocol is Transport Layer Security (TLS), where the client-side (often a browser or client device) verifies the server by verifying the server’s certificate was issued by a trusted certificate authority. |
Many Azure services support TLS authentication by default. For services that don't support this by default or support TLS disabling, ensure it is always enabled to support the server/service authentication. Your client application should also be designed to verify server/service identity (by verifying the server’s certificate issued by a trusted certificate authority) in the handshake stage. |
Enforce Transport Layer Security (TLS) for a storage account: |
Many AWS services support TLS authentication by default. For services that don't support this by default or support TLS disabling, ensure it is always enabled to support the server/service authentication. Your client application should also be designed to verify server/service identity (by verifying the server’s certificate issued by a trusted certificate authority) in the handshake stage. |
AWS Certificate Manager certificate pinning. |
Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys |
|
|
|
|
|
|
|
|
|
https://docs.microsoft.com/azure/storage/common/transport-layer-security-configure-minimum-version?tabs=portal#use-azure-policy-to-enforce-the-minimum-tls-version |
|
https://docs.aws.amazon.com/acm/latest/userguide/acm-bestpractices.html#best-practices-pinning |
|
|
|
|
|
|
|
|
Note: Mutual authentication can be used when both the server and the client authenticate one-another. |
Note: Services such as API Management and API Gateway support TLS mutual authentication. |
|
Note: Services such as API Gateway support TLS mutual authentication. |
|
Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops |
|
|
|
|
|
|
|
|
|
|
|
SSL certificate for backend authentication: |
|
|
|
|
|
|
|
|
|
|
|
|
https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html |
|
IM-5 |
Identity Management |
16.2 - Configure Centralized Point of Authentication |
12.5 - Centralize Network Authentication, Authorization, and Auditing (AAA) |
IA-4: IDENTIFIER MANAGEMENT |
nan |
Use single sign-on (SSO) for application access |
Use single sign-on (SSO) to simplify the user experience for authenticating to resources including applications and data across cloud services and on-premises environments. |
Use Azure AD for workload application workload access (customer facing) through Azure AD single sign-on (SSO), reducing the need for duplicate accounts. Azure AD provides identity and access management to Azure resources (in the management plane including CLI, PowerShell, portal), cloud applications, and on-premises applications. |
Understand application SSO with Azure AD: |
Use AWS Cognito to manage access to your customer facing workload application through single sign-on (SSO) to allow customers to bridge their third-party identities from different identity providers. |
AWS Single Sign-On: |
Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture |
|
|
|
|
IA-2: IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) |
|
|
|
|
https://docs.microsoft.com/azure/active-directory/manage-apps/what-is-single-sign-on |
|
https://docs.aws.amazon.com/singlesignon/ |
|
|
|
|
|
IA-8: IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) |
|
|
|
Azure AD also supports SSO for enterprise identities such as corporate user identities, as well as external user identities from trusted third-party and public users. |
|
For SSO access to the AWS native resources (including AWS console access or service management and data plane level access), use AWS Sigle Sign-On to reduce the need for duplicate accounts. |
|
Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys |
|
|
|
|
|
|
|
|
|
|
|
AWS Cognito Single Sign-On Adding SAML identity providers: |
|
|
|
|
|
|
|
|
|
|
|
AWS SSO also allows you to bridge corporate identities (such as identities from Azure Active Directory) with AWS identities, as well as external user identities from trusted third-party and public users. |
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-saml-idp.html |
Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops |
IM-6 |
Identity Management |
4.2 - Change Default Passwords |
6.3 - Require MFA for Externally-Exposed Applications |
AC-2: ACCOUNT MANAGEMENT |
7.2 |
Use strong authentication controls |
Enforce strong authentication controls (strong passwordless authentication or multi-factor authentication) with your centralized identity and authentication management system for all access to resources. Authentication based on password credentials alone is considered legacy, as it is insecure and does not stand up to popular attack methods. |
Azure AD supports strong authentication controls through passwordless methods and multi-factor authentication (MFA). |
How to enable MFA in Azure: |
AWS IAM supports strong authentication controls through multi-factor authentication (MFA). MFA can be enforced on all users, select users, or at the per-user level based on defined conditions. |
Using multi-factor authentication (MFA) in AWS: |
Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture |
|
|
4.5 - Use Multifactor Authentication For All Administrative Access |
6.4 - Require MFA for Administrative Access |
AC-3: ACCESS ENFORCEMENT |
8.2 |
|
|
- Passwordless authentication: Use passwordless authentication as your default authentication method. There are three options available in passwordless authentication: Windows Hello for Business, Microsoft Authenticator app phone sign-in, and FIDO2 security keys. In addition, customers can use on-premises authentication methods such as smart cards. |
https://docs.microsoft.com/azure/active-directory/authentication/howto-mfa-getstarted |
|
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html |
|
|
|
12.11 - Require All Remote Logins to Use Multi-Factor Authentication |
|
IA-2: IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) |
8.3 |
|
When deploying strong authentication, configure administrators and privileged users first, to ensure the highest level of the strong authentication method, quickly followed by rolling out the appropriate strong authentication policy to all users. |
- Multi-factor authentication: Azure MFA can be enforced on all users, select users, or at the per-user level based on sign-in conditions and risk factors. Enable Azure MFA and follow Microsoft Defender for Cloud identity and access management recommendations for your MFA setup. |
|
If you use corporate accounts from a third-party directory (such as Windows Active Directory) with AWS identities, follow the respective security guidance to enforce strong authentication. Refer to the Azure Guidance for this control if you use Azure AD to manage AWS access. |
|
Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys |
|
|
16.3 - Require Multi-Factor Authentication |
|
IA-5: AUTHENTICATOR MANAGEMENT |
8.4 |
|
|
|
Introduction to passwordless authentication options for Azure Active Directory: |
|
IAM supported MFA form factors: |
|
|
|
|
|
IA-8: IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) |
|
|
Note: If legacy password-based authentication is required for legacy applications and scenarios, ensure password security best practices such as complexity requirements, are followed. |
If legacy password-based authentication is still used for Azure AD authentication, be aware that cloud-only accounts (user accounts created directly in Azure) have a default baseline password policy. And hybrid accounts (user accounts that come from on-premises Active Directory) follow the on-premises password policies. |
https://docs.microsoft.com/azure/active-directory/authentication/concept-authentication-passwordless |
Note: For third-party applications and AWS services that may have default IDs and passwords, you should disable or change them during initial service setup. |
https://aws.amazon.com/iam/features/mfa/ |
Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
For third-party applications and services that may have default IDs and passwords, you should disable or change them during initial service setup. |
Azure AD default password policy: |
|
|
|
|
|
|
|
|
|
|
|
|
https://docs.microsoft.com/azure/active-directory/authentication/concept-sspr-policy#password-policies-that-only-apply-to-cloud-user-accounts |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Eliminate bad passwords using Azure AD Password Protection: https://docs.microsoft.com/azure/active-directory/authentication/concept-password-ban-bad |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Block legacy authentication: |
|
|
|
|
|
|
|
|
|
|
|
|
https://docs.microsoft.com/azure/active-directory/conditional-access/block-legacy-authentication |
|
|
|
IM-7 |
Identity Management |
12.11 - Require All Remote Logins to Use Multi-Factor Authentication |
3.3 - Configure Data Access Control Lists |
AC-2: ACCOUNT MANAGEMENT |
7.2 |
Restrict resource access based on conditions |
Explicitly validate trusted signals to allow or deny user access to resources, as part of a zero-trust access model. Signals to validate should include strong authentication of user account, behavioral analytics of user account, device trustworthiness, user or group membership, locations and so on. |
Use Azure AD conditional access for more granular access controls based on user-defined conditions, such as requiring user logins from certain IP ranges (or devices) to use MFA. Azure AD Conditional Access allows you to enforce access controls on your organization’s apps based on certain conditions. |
Azure Conditional Access overview: |
Create IAM policy and define conditions for more granular access controls based on user-defined conditions, such as requiring user logins from certain IP ranges (or devices) to use multi-factor authentication. Condition settings may include single or multiple conditions as well as logic. |
Policies and permissions in IAM: |
Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys |
|
|
12.12 - Manage All Devices Remotely Logging Into Internal Network |
6.4 - Require MFA for Administrative Access |
AC-3: ACCESS ENFORCEMENT |
|
|
|
|
https://docs.microsoft.com/azure/active-directory/conditional-access/overview |
|
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html |
|
|
|
14.6 - Protect Information Through Access Control Lists |
13.5 - Manage Access Control for Remote Assets |
AC-6: LEAST PRIVILEGE |
|
|
|
Define the applicable conditions and criteria for Azure AD conditional access in the workload. Consider the following common use cases: |
|
Policies can be defined from six different dimensions: identity-based policies, resource-based policies, permissions boundaries, AWS Organizations service control policy (SCP) , Access Control Lists(ACL), and session policies. |
|
Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops |
|
|
16.3 - Require Multi-Factor Authentication |
|
|
|
|
|
- Requiring multi-factor authentication for users with administrative roles |
Common Conditional Access policies: |
|
Conditions key table: |
|
|
|
|
|
|
|
|
|
- Requiring multi-factor authentication for Azure management tasks |
https://docs.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-policy-common |
|
https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html#context_keys_table |
Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management |
|
|
|
|
|
|
|
|
- Blocking sign-ins for users attempting to use legacy authentication protocols |
|
|
|
|
|
|
|
|
|
|
|
|
- Requiring trusted locations for Azure AD Multi-Factor Authentication registration |
Conditional Access insights and reporting: |
|
|
Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence |
|
|
|
|
|
|
|
|
- Blocking or granting access from specific locations |
https://docs.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-insights-reporting |
|
|
|
|
|
|
|
|
|
|
|
- Blocking risky sign-in behaviors |
|
|
|
|
|
|
|
|
|
|
|
|
- Requiring organization-managed devices for specific applications |
Configure authentication session management with Conditional Access: |
|
|
|
|
|
|
|
|
|
|
|
|
https://docs.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime |
|
|
|
|
|
|
|
|
|
|
|
Note: Granular authentication session management controls can also be implemented through Azure AD conditional access policies such as sign-in frequency and persistent browser session. |
|
|
|
|
IM-8 |
Identity Management |
18.1 - Establish Secure Coding Practices |
16.9 - Train Developers in Application Security Concepts and Secure Coding |
IA-5: AUTHENTICATOR MANAGEMENT |
3.5 |
Restrict the exposure of credential and secrets |
Ensure that application developers securely handle credentials and secrets: |
When using a managed identity is not an option, ensure that secrets and credentials are stored in secure locations such as Azure Key Vault, instead of embedding them into the code and configuration files. |
How to setup Credential Scanner: |
When using an IAM role for application access is not an option, ensure that secrets and credentials are stored in secure locations such as AWS Secret Manager or Systems Manager Parameter Store, instead of embedding them into the code and configuration files. |
AWS IAM roles in EC2: |
Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops |
|
|
18.6 - Ensure Software Development Personnel Are Trained in Secure Coding |
16.12 - Implement Code-Level Security Checks |
|
6.3 |
|
- Avoid embedding the credentials and secrets into the code and configuration files |
|
https://secdevtools.azurewebsites.net/helpcredscan.html |
|
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html |
|
|
|
18.7 - Apply Static and Dynamic Code Analysis Tools |
|
|
8.2 |
|
- Use key vault or a secure key store service to store the credentials and secrets |
If you use Azure DevOps and GitHub for your code management platform: |
|
Use CodeGuru Reviewer for static code analysis which can detect the secrets hard-coded in your source code. |
|
Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management |
|
|
|
|
|
|
|
- Scan for credentials in source code. |
- Implement Azure DevOps Credential Scanner to identify credentials within the code. |
GitHub secret scanning: |
|
AWS Secrets Manager integrated services: |
|
|
|
|
|
|
|
|
|
- For GitHub, use the native secret scanning feature to identify credentials or other forms of secrets within the code. |
https://docs.github.com/github/administering-a-repository/about-secret-scanning |
If you use the Azure DevOps and GitHub for your code management platform: |
https://docs.aws.amazon.com/secretsmanager/latest/userguide/integrating.html |
|
|
|
|
|
|
|
|
Note: This is often governed and enforced through a secure software development lifecycle (SDLC) and DevOps security process |
|
|
- Implement Azure DevOps Credential Scanner to identify credentials within the code. |
|
|
|
|
|
|
|
|
|
|
Clients such as Azure Functions, Azure Apps services, and VMs can use managed identities to access Azure Key Vault securely. See Data Protection controls related to the use of Azure Key Vault for secrets management. |
|
- For GitHub, use the native secret scanning feature to identify credentials or other forms of secrets within the code. |
CodeGuru Reviewer Secrets Detection: |
|
|
|
|
|
|
|
|
|
|
|
|
https://docs.aws.amazon.com/codeguru/latest/reviewer-ug/recommendations.html |
|
|
|
|
|
|
|
|
|
Note: Azure Key Vault provides automatic rotation for supported services. For secrets which cannot be automatically rotated, ensure they are manually rotated periodically and purged when no longer in use. |
|
Note: Secrets Manager provides automatic secrets rotation for supported services. For secrets which cannot be automatically rotated, ensure they are manually rotated periodically and purged when no longer in use. |
|
|
IM-9 |
Identity Management |
12.10 Decrypt Network Traffic at Proxy |
6.7 - Centralize Access Control |
AC-2: ACCOUNT MANAGEMENT |
nan |
Secure user access to existing applications |
In a hybrid environment, where you have on-premises applications or non-native cloud applications using legacy authentication, consider solutions such as cloud access security broker (CASB), application proxy, single sign-on (SSO) to govern the access to these applications for the following benefits: |
Protect your on-premises and non-native cloud applications using legacy authentication by connecting them to: |
Azure AD Application Proxy: |
Follow Azure's guidance to protect your on-premises and non-native cloud applications using legacy authentication by connecting them to: |
AWS Marketplace Application Proxy solutions: |
Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture |
|
|
16.2 Configure Centralized Point of Authentication |
12.5 - Centralize Network Authentication, Authorization, and Auditing (AAA) |
AC-3: ACCESS ENFORCEMENT |
|
|
- Enforce a centralized strong authentication |
- Azure AD Application Proxy and configure header-based authentication to allow single sign-on (SSO) access to the applications for remote users while explicitly validating the trustworthiness of both remote users and devices with Azure AD Conditional Access. If required, use a third-party Software-Defined Perimeter (SDP) solution which can offer similar functionality. |
https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy#what-is-application-proxy |
- Azure AD Application Proxy and configure header-based authentication to allow single sign-on (SSO) access to the applications for remote users while explicitly validating the trustworthiness of both remote users and devices with Azure AD Conditional Access. If required, use a third-party Software-Defined Perimeter (SDP) solution which can offer similar functionality. |
https://aws.amazon.com/marketplace/search/results?searchTerms=Application+proxy |
|
|
|
|
|
SC-11: TRUSTED PATH |
|
|
- Monitor and control risky end-user activities |
- Microsoft Defender for Cloud Apps which serves as a cloud access security broker (CASB) service to monitor and block user access to unapproved third-party SaaS applications. |
|
- Microsoft Defender for Cloud Apps which serves as a cloud access security broker (CASB) service to monitor and block user access to unapproved third-party SaaS applications. |
|
Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture |
|
|
|
|
|
|
|
- Monitor and remediate risky legacy applications activities |
- Your existing third-party application delivery controllers and networks. |
Microsoft Cloud App Security best practices: |
- Your existing third-party application delivery controllers and networks. |
AWS Marketplace CASB solutions: |
|
|
|
|
|
|
|
|
- Detect and prevent sensitive data transmission |
|
https://docs.microsoft.com/cloud-app-security/best-practices |
|
https://aws.amazon.com/marketplace/search/results?searchTerms=CASB |
Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops |
|
|
|
|
|
|
|
|
Note: VPNs are commonly used to access legacy applications and often only have basic access control and limited session monitoring. |
|
Note: VPNs are commonly used to access legacy applications and often only have basic access control and limited session monitoring. |
|
|
|
|
|
|
|
|
|
|
|
Azure AD secure hybrid access: |
|
|
|
|
|
|
|
|
|
|
|
|
https://docs.microsoft.com/azure/active-directory/manage-apps/secure-hybrid-access |
|
|
|