Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Azure Function Access Keys

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

To follow Azure cloud security best practices and prevent anonymous access, ensure that all the HTTP-triggered Azure functions managed with Microsoft Azure Function App are configured to use access keys to securely invoke functions via URLs. Access keys with a HOST scope (i.e. function keys) can be used to access all HTTP-triggered functions within the Azure Function App.

Security
Reliability
Cost
optimisation
Operational
excellence
Sustainability

HTTP-triggered Azure functions should use access keys to invoke the function for security and access control. These keys act as a safeguard, ensuring that only authorized clients with the correct key can trigger the function. This helps prevent unauthorized access and potential misuse of the function, maintaining the integrity and confidentiality of your application's resources and data.


Audit

To determine if all Azure functions within your Azure Function App are configured to use access keys, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#view/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box and choose Apply.

04 From the Type filter box, select Function App and choose Apply to list only the Microsoft Azure Function Apps available in the selected subscription.

05 Click on the name (link) of the Azure Function App that you want to examine.

06 In the navigation panel, under Functions, select App keys to view the access keys created for the selected Function App.

07 In the Host keys (all functions) section, check for any host (function) keys, other than the _master key, created for the selected the Function App. If there are no function keys defined, the HTTP-triggered Azure functions managed with the selected Microsoft Azure Function App are not configured to use access keys.

08 Repeat steps no. 5 – 7 for each Azure Function App deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run functionapp list command (Windows/macOS/Linux) using custom query filters to list the name and the associated resource group for each Azure Function App available in the current subscription:

az functionapp list 
  --output table 
  --query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return the requested Function App names:

Name                      ResourceGroup
----------------------    ------------------------------
cc-main-function-app      cloud-shell-storage-westeurope
cc-project5-function-app  cloud-shell-storage-westeurope

03 Run functionapp keys list command (Windows/macOS/Linux) using the name of the Azure Function App that you want to examine and its associated resource group as the identifier parameters to list the function (host) keys created for the selected Function App:

az functionapp keys list 
  --name cc-main-function-app 
  --resource-group cloud-shell-storage-westeurope 
  --query 'functionKeys'

04 The command output should return all the function keys defined for the selected Function App:

{}

If the functionapp keys list command output returns an empty object, i.e. {}, as shown in the output example above, there are no function keys defined, therefore the HTTP-triggered Azure functions managed with the selected Microsoft Azure Function App are not configured to use access keys.

05 Repeat step no. 3 and 4 for each Azure Function App available within the current Azure subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that all your HTTP-triggered functions managed with Azure Function App are configured to use access keys, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#view/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box and choose Apply.

04 From the Type filter box, select Function App and choose Apply to list only the Microsoft Azure Function Apps available in the selected subscription.

05 Click on the name (link) of the Azure Function App that you want to configure.

06 In the navigation panel, under Functions, select App keys to manage the access keys for the selected Function App.

07 Choose New host key from the top menu to create a new function key for the selected Azure Function App.

08 On the Add host key setup panel, provide a name and a value for your new function key (access key), and choose Add to create the key-value pair. You can also use the Generate a random key value and save option to generate a random value for your new function key. The new function key can be used now with your clients to access all your HTTP-triggered functions managed with the selected Azure Function App.

09 Repeat steps no. 5 – 8 for each Azure Function App that you want to configure, deployed in the selected Azure subscription.

10 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run functionapp keys set command (OSX/Linux/UNIX) using the name of the Azure Function App that you want to configure as the identifier parameter to create a new function key (access key) for the HTTP-triggered functions managed with the selected Azure Function App. To provide your own value for the key use the --key-value parameter. If the --key-value parameter is not provided, a value will be automatically generated:

az functionapp keys set 
  --name cc-main-function-app5 
  --resource-group cloud-shell-storage-westeurope 
  --key-name main-function-access-key 
  --key-type functionKeys

02 The command output should return the configuration information (including the key name and value) for the newly created function key:

{
	"id": "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-main-function-app5/host/default/functionKeys/main-function-access-key",
	"location": "West Europe",
	"name": "main-function-access-key",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"type": "Microsoft.Web/sites/host/functionKeys",
	"value": "1234abcd1234abcd1234abcd1234abcd1234abcd"
}

03 Repeat steps no. 1 and 2 for each Azure Function App that you want to configure, available within the current subscription.

04 Repeat steps no. 1 – 3 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Oct 23, 2023