AzSDK

2.5.0

Framework/Configurations/SVT/Services/Automation.json

                                {

    "FeatureName": "Automation",

    "Reference": "",

    "IsManintenanceMode": false,

  "Controls": [

    {

      "ControlID": "Azure_Automation_AuthZ_Grant_Min_RBAC_Access",

      "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)",

      "Id": "Automation110",

      "ControlSeverity": "Medium",

      "Automated": "Yes",

      "MethodName": "CheckRBACAccess",

      "Recommendation": "Remove any excessive privileges granted on the Automation account. Run command Remove-AzureRmRoleAssignment -SignInName '{signInName}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzureRmRoleAssignment -full' for more help. Assign 'Automation Operator' RBAC role to members who need to start/stop/suspend/resume jobs. Refer: https://docs.microsoft.com/en-us/azure/automation/automation-role-based-access-control, https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-manage-access-powershell",

      "Tags": [

        "SDL",

        "TCP",

        "Automated",

        "AuthZ",

        "RBAC"

      ],

      "Enabled": true

    },

    {

      "ControlID": "Azure_Automation_DP_Review_Webhook_Usage",

      "Description": "Webhooks should not be used for runbooks that perform highly sensitive functions",

      "Id": "Automation120",

      "ControlSeverity": "Medium",

      "Automated": "Yes",

      "MethodName": "CheckWebhooks",

      "Recommendation": "Remove webhook(s) if not required. Run command Remove-AzureRmAutomationWebhook -AutomationAccountName '{AutomationAccountName}' -Name '{WebhookName}' -ResourceGroupName '{ResourceGroupName}",

      "Tags": [

        "SDL",

        "TCP",

        "Automated",

        "DP"

      ],

      "Enabled": true

    },

    {

      "ControlID": "Azure_Automation_DP_Minimal_Webhook_Validity",

      "Description": "Webhook URL must have a shorter validity period (<= $($this.ControlSettings.Automation.WebhookValidityInDays) days) to prevent malicious access",

      "Id": "Automation130",

      "ControlSeverity": "Medium",

      "Automated": "Yes",

      "MethodName": "CheckWebhookExpiry",

      "Recommendation": "Change the webhook expiry date by navigating to Azure Portal --> Your Auotmation account --> Your runbook --> Webhooks --> Your webhook --> Edit 'Expiration' field --> Save",

      "Tags": [

        "SDL",

        "TCP",

        "Automated",

        "DP"

      ],

      "Enabled": true

    },

    {

      "ControlID": "Azure_Automation_DP_Use_Encrypted_Variables",

      "Description": "Encryption of Automation account variable assets must be enabled when storing sensitive data",

      "Id": "Automation140",

      "ControlSeverity": "High",

      "Automated": "Yes",

      "MethodName": "CheckVariables",

      "Recommendation": "Encrypt variable if it stores sensitive data. Run command Set-AzureRmAutomationVariable -AutomationAccountName '{AutomationAccountName}' -Encrypted $true -Name '{VariableName}' -ResourceGroupName '{ResourceGroupName}' -Value '{Value}",

      "Tags": [

        "SDL",

        "TCP",

        "Automated",

        "DP"

      ],

      "Enabled": true

    },

    {

      "ControlID": "Azure_Automation_DP_Use_Secure_Assets",

      "Description": "Never hardcode secure information in your runbook, instead use Automation account assets (Credentials, encrypted variables etc.)",

      "Id": "Automation150",

      "ControlSeverity": "High",

      "Automated": "No",

      "MethodName": "",

      "Recommendation": "For detailed information about assets refer: https://docs.microsoft.com/en-us/azure/automation/automation-certificates, https://docs.microsoft.com/en-us/azure/automation/automation-connections, https://docs.microsoft.com/en-us/azure/automation/automation-credentials, https://docs.microsoft.com/en-us/azure/automation/automation-variables",

      "Tags": [

        "SDL",

        "TCP",

        "DP"

      ],

      "Enabled": true

    },

    {

      "ControlID": "Azure_Automation_DP_Rotate_Account_Keys",

      "Description": "Automation account keys should be rotated periodically as per the company standards",

      "Id": "Automation160",

      "ControlSeverity": "Medium",

      "Automated": "No",

      "MethodName": "",

      "Recommendation": "Run command New-AzureRmAutomationKey -AutomationAccountName '{AutomationAccountName}' -KeyType '{Primary/Secondary}' -ResourceGroupName '{ResourceGroupName}' to rotate keys",

      "Tags": [

        "SDL",

        "TCP",

        "DP"

      ],

      "Enabled": true

    },

    {

      "ControlID": "Azure_Automation_DP_Rotate_RunAsAccount_Credentials",

      "Description": "Credentials for Run As Account should be deleted and recreated at regular intervals to make sure that Service Principal connection credentials are not compromised",

      "Id": "Automation170",

      "ControlSeverity": "Medium",

      "Automated": "No",

      "MethodName": "",

      "Recommendation": "Remove existing certificate and connection using command Remove-AzureRmAutomationCertificate and Remove-AzureRmAutomationConnection. Create new certificate and connection using commands New-AzureRmAutomationCertificate and New-AzureRmAutomationConnection. Refer : https://docs.microsoft.com/en-us/azure/automation/automation-create-runas-account",

      "Tags": [

        "SDL",

        "Best Practice",

        "DP"

      ],

      "Enabled": true

    },

    {

      "ControlID": "Azure_Automation_DP_Automation_Asset_Protection",

      "Description": "Automation account having Hybrid Runbook Worker feature configured must have only limited/required assets added, since on-premise machines running the MMA (Microsoft Monitoring Agent) have access to all the Automation account assets",

      "Id": "Automation180",

      "ControlSeverity": "Medium",

      "Automated": "No",

      "MethodName": "",

      "Recommendation": "Create dedicated Auotmation account for Hybrid Worker Groups",

      "Tags": [

        "SDL",

        "TCP",

        "DP"

      ],

      "Enabled": true

    },

    {

      "ControlID": "Azure_Automation_Auth_Dedicated_SP_For_Runbook",

      "Description": "Runbook authentication must be done using dedicated service principal instead of AD User account ",

      "Id": "Automation190",

      "ControlSeverity": "Medium",

      "Automated": "No",

      "MethodName": "",

      "Recommendation": "Refer : https://docs.microsoft.com/en-us/azure/automation/automation-create-runas-account",

      "Tags": [

        "SDL",

        "TCP",

        "Auth"

      ],

      "Enabled": true

    },

    {

      "ControlID": "Azure_Automation_Audit_Configure_Log_Analytics",

      "Description": "Configure Log Analytics to get greater operational visibility of your Automation jobs",

      "Id": "Automation200",

      "ControlSeverity": "Medium",

      "Automated": "No",

      "MethodName": "CheckOMSSetup",

      "Recommendation": "Run command Set-AzureRmDiagnosticSetting -ResourceId '{AutomationAccountId}' -WorkspaceId '{OMSWorkspaceId}' -Enabled $true. Refer : https://docs.microsoft.com/en-us/azure/automation/automation-manage-send-joblogs-log-analytics",

      "Tags": [

        "SDL",

        "Best Practice",

        "Audit"

      ],

      "Enabled": true

    }

  ]

}