Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Approved Azure Machine Image in Use

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: VirtualMachines-031

Ensure that all the Azure virtual machine (VM) instances necessary for your application stack are launched from an approved base Azure machine image, known as golden machine image, in order to enforce application security best practices, consistency, and save time when scaling your application.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

An approved machine image is a custom virtual machine (VM) image that contains a pre-configured OS and a well-defined stack of server software, fully configured to run your application. Using approved (golden) machine images to launch new VM instances within your Azure cloud environment brings major benefits such as fast and stable application deployment and scaling, secure application stack upgrades, and versioning.

Audit

To determine if your virtual machine instances are being launched from an approved machine image, perform the following operations:

Using Azure Portal

01 Sign in to Azure Management Portal.

02 Navigate to Virtual machines blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Compute%2FVirtualMachines to view the list with all the virtual machine (VM) instances available within your Azure cloud account.

03 Choose the Azure subscription that you want to access from the subscription filter box to list only the VM instances available in the selected subscription.

04 Choose the virtual machine instance that you want to examine and check the type of the VM source available in the Source column. If the source type is different than Image, the selected Microsoft Azure virtual machine instance was deployed without using an approved (golden) Azure machine image.

05 Repeat step no. 4 for each Azure virtual machine available in the selected subscription.

06 Repeat steps no. 3 – 5 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) using custom query filters to list the IDs of the subscriptions available in your Azure account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers: 

[
  "abcdabcd-1234-abcd-1234-abcdabcdabcd",
  "abcd1234-abcd-1234-abcd-abcd1234abcd",
]

03 Run vm list command (Windows/macOS/Linux) using custom query filters to list the name and the associated resource group of each virtual machine provisioned in the selected Azure subscription: 

az vm list
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

04 The command output should return the requested virtual machine (VM) identifiers: 

Name                      ResourceGroup
-----------------------   ------------------------------
cc-project5-web-server    cloud-shell-storage-westeurope
cc-project5-app-server    cloud-shell-storage-westeurope

05 Run vm show command (Windows/macOS/Linux) using the name of the virtual machine that you want to examine and the associated resource group as identifier parameters, to describe the ID of the approved (custom) Azure machine image used to create the selected virtual machine instance: 

az vm show
	--name cc-project5-web-server
	--resource-group cloud-shell-storage-westeurope
	--query '{"ImageId": storageProfile.imageReference.id}'

06 The command output should return the ID of the source machine image used: 

{
  "ImageId": null
}

If the value returned for the "ImageId" configuration property is not a valid resource ID, i.e. "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Compute/images/<virtual-machine-image-id>", the selected Microsoft Azure virtual machine instance was launched without using an approved Azure machine image, therefore the software stack installed might not be stable and well-secured.

07 Repeat step no. 5 and 6 for each Azure virtual machine deployed to the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To meet security and compliance requirements within your organization and launch virtual machine instances from approved machine images only, re-create the required VM instances using the approved (golden) machine image by perform the following operations:

Using Azure Portal

01 Sign in to Azure Management Portal.

02 Navigate to Virtual machines blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Compute%2FVirtualMachines to access the list with all the virtual machine instances available within your Azure cloud account.

03 Choose the Azure subscription that you want to access from the subscription filter box.

04 Click on the name of the non-compliant virtual machine instance that you want to re-create and gather all the relevant configuration information available for the selected instance.

05 Navigate to Images blade at https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2Fimages to access the list with all the custom machine images available in your Azure cloud account.

06 Choose the Azure subscription that you want to access from the Subscription filter box to list only the machine images created for the selected subscription.

07 Click on the name of the approved machine image that you want to use to re-create the required (non-compliant) VM instance.

08 In the navigation panel, select Overview, then click on the Create VM button available in the blade top menu to initiate the VM instance launch process.

09 On the Create a virtual machine page, perform the following actions:

  1. In the Project details section, make sure that the appropriate resource group is selected (must match the resource group of the instance that you want to re-create).
  2. In the Instance details section, provide the following details:
    • In the Virtual machine name box, provide a unique name for the new VM instance.
    • Choose the appropriate Availability Zones (AZ) options from the Availability options dropdown list.
    • Select the size of the virtual machine (VM) instance from the Size dropdown list based on the configuration details collected at step no. 4.
  3. Within the Administrator account section, choose whether the administrator account will use a username and a password or SSH keys for authentication.
  4. In the Inbound port rules section, select which virtual machine network ports can be accessible from the Internet (must match the inbound ports of the instance that you want to re-create).
  5. Click Next : Disks > to configure the VM instance disk options. Continue the virtual machine setup process using the configuration information collected at step no. 4 until you reach the instance review step. Once the review is done and the validation has passed, click Create to create your new and compliant virtual machine instance.

10 Migrate the necessary application data from the source (non-approved) virtual machine instance to the destination (approved) VM instance.

11 To remove the non-compliant virtual machine instance from your Azure cloud account in order to eliminate unnecessary costs, navigate back to the Virtual machines blade and click on the name of the VM instance that you want to remove.

12 In the navigation panel, select Overview, and click Delete to initiate the resource removal.

13 In the Delete virtual machine confirmation box, click Yes to confirm the VM instance removal.

14 Repeat step no. 4 – 13 to re-create other Azure VM instances using approved machine images, available in the selected subscription.

15 Repeat steps no. 3 – 14 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run vm show command (Windows/macOS/Linux) using the name of the virtual machine (VM) instance that you want to re-create as identifier parameter, to describe all the configuration information available for the selected VM instance: 

az vm show
	--name cc-project5-web-server
	--resource-group cloud-shell-storage-westeurope

02 The command output should return the requested information: 

{
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/virtualMachines/cc-project5-web-server",
  "identity": null,
  "instanceView": null,
  "licenseType": null,
  "location": "westeurope",
  "name": "cc-project5-web-server",
  "osProfile": {
    "adminPassword": null,
    "adminUsername": "AzureUser",
    "allowExtensionOperations": true,
    "computerName": "cc-project5-web-server",

    ...

    "requireGuestProvisionSignal": true,
    "windowsConfiguration": null
  },
  "plan": null,
  "priority": null,
  "provisioningState": "Succeeded",
  "proximityPlacementGroup": null,
  "resourceGroup": "cloud-shell-storage-westeurope",
  "resources": null,
  "tags": null,
  "type": "Microsoft.Compute/virtualMachines",
  "virtualMachineScaleSet": null,
}

03 Run image list command (Windows/macOS/Linux) using custom query filters to list the name of each custom machine image available in the selected Azure subscription: 

az image list
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

04 The command output should return the VM image identifiers (i.e. names): 

Result
-------------------------
cc-project5-golden-image
cc-web-base-machine-image

05 Run vm create command (Windows/macOS/Linux) using the configuration information of the virtual machine instance that you want to re-create, returned at step no. 2, and the name of the approved (golden) machine image as input for the vm create command parameters, to create a new, approved Azure virtual machine instance: 

az vm create
	--resource-group cloud-shell-storage-westeurope
	--name cc-project5-approved-web-server
	--image cc-project5-golden-image
	--size Standard_DS2_v2
	--admin-username azureuser
	--generate-ssh-keys

06 The command output should return the metadata available for the new VM instance: 

{
  "fqdns": "",
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/virtualMachines/cc-project5-approved-web-server",
  "location": "westeurope",
  "macAddress": "xx-xx-xx-xx-xx-xx",
  "powerState": "VM running",
  "privateIpAddress": "10.0.0.10",
  "publicIpAddress": "xxx.xxx.xxx.xxx",
  "resourceGroup": "cloud-shell-storage-westeurope",
  "zones": ""
}

07 Migrate the necessary application data from the source (non-approved) virtual machine instance to the destination (approved) VM instance.

08 To remove the non-compliant virtual machine instance from your Azure cloud account in order to eliminate unnecessary costs, run vm delete command (Windows/macOS/Linux) using the name of the VM instance that you want to delete as identifier parameter (the command does not produce an output): 

az vm delete
	--name cc-project5-web-server
	--resource-group cloud-shell-storage-westeurope

09 Type y (yes), then press Enter to confirm the resource removal, i.e.: 

Are you sure you want to perform this operation? (y/n): y

10 Repeat step no. 1 – 9 to re-create other Azure VM instances using golden machine images, available in the selected subscription.

11 Repeat steps no. 1 – 10 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Jul 8, 2020

Related VirtualMachines rules