Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable System-Assigned Managed Identities

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: VirtualMachines-015

Ensure that your Microsoft Azure virtual machines (VMs) have system-assigned managed identities enabled in order to allow secure virtual machine access to Azure resources such as key vaults and storage accounts.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

A system-assigned managed identity enables Azure VMs to authenticate to other cloud services without storing credentials in code. Once enabled, all the necessary permissions can be granted via the Azure Role-Based Access Control (RBAC) access management system. With system-assigned managed identities you don't have to secure and manage access credentials anymore as these are handled automatically behind the scenes.

Note: The lifecycle of the managed identity is tied to the lifecycle of the associated VM and each virtual machine can have only one system-assigned managed identity.


Audit

To determine if your Azure virtual machines are configured to use system-assigned managed identities, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Virtual machine to list the virtual machines launched in the selected subscription.

05 Click on the name of the virtual machine (VM) that you want to examine.

06 In the navigation panel, under Settings, select Identity to access the system-assigned managed identity configuration available for the selected VM.

07 On the Identity page, check the Status configuration setting. If Status is set to Off, the system-assigned managed identity is not enabled for the selected Microsoft Azure virtual machine.

08 Repeat step no. 5 – 7 for each Azure virtual machine available in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run vm list command (Windows/macOS/Linux) using custom query filters to list the ID of each virtual machine (VM) deployed within the current Azure subscription:

az vm list
    --query '[*].id'

02 The command output should return the requested Azure virtual machine ID(s):

[
"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-web-worker-vm",
"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-web-staging-vm"
]

03 Run vm show command (Windows/macOS/Linux) using the ID of the Azure virtual machine that you want to examine as identifier parameter and custom query filters, to describe the system-assigned managed identity configuration available for the selected VM:

az vm show
    --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-web-worker-vm"
    --query '{"IdentityConfig": identity}'

04 The command output should return the requested configuration information:

{
  "IdentityConfig": null
}

If the vm show command output returns null as the value for the "IdentityConfig" attribute, as shown in the example above, the system-assigned managed identity is not enabled for the selected Microsoft Azure virtual machine.

05 Repeat step no. 3 and 4 for every Azure virtual machine available in the current subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To enable system-assigned managed identities for your Microsoft Azure virtual machines, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Virtual machine to list the virtual machines available in the selected subscription.

05 Click on the name of the virtual machine (VM) that you want to reconfigure (see Audit section part I to identify the right resource).

06 In the navigation panel, under Settings, select Identity to access the system-assigned managed identity configuration available for the selected VM.

07 On the Identity page, click On next to the Status setting to enable the system-assigned managed identity for the selected Azure virtual machine. Click Save to apply the configuration change, then select Yes to confirm the action. Once the system-assigned managed identity is enabled, the selected virtual machine will be registered with Microsoft Entra ID. After being registered, you can control its access to other Azure cloud services like Resource Manager, Azure Key Vault and Azure Storage Account.

08 Now you can use, for example, the VM's managed identity to read or retrieve data stored within your Azure Storage containers without the need of using access credentials in your application code.

09 Repeat steps no. 5 – 7 to enable the system-assigned managed identity for other Azure virtual machines available in the selected subscription.

10 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.

Using Azure Portal

01 Run vm identity assign command (Windows/macOS/Linux) using the ID of the virtual machine that you want to reconfigure (see Audit section part II to identify the right resource), to enable the system-assigned managed identity for the selected Azure VM. Once the system-assigned managed identity is enabled, the selected virtual machine will be registered with Microsoft Entra ID. After being registered, you can control the resource access to other Azure cloud services like Resource Manager, Azure Key Vault and Azure Storage Account:

az vm identity assign
    --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-web-worker-vm"
    --identities [system]

02 The command output should return the unique identifier assigned to the selected VM, provided once it's registered with Microsoft Entra ID:

{
  "systemAssignedIdentity": "abcdabcd-1234-abcd-1234-abcdabcdabcd",
  "userAssignedIdentities": {}
}

03 After the Microsoft Entra ID registration, you can use, for example, the VM's managed identity to read or retrieve data available in your Azure Storage containers without the need of using access credentials within your application code.

04 Repeat step no. 1 and 2 to enable the system-assigned managed identity for other Azure virtual machines provisioned in the current subscription.

05 Repeat steps no. 1 – 4 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Nov 8, 2019