Azure Cybersecurity Labs

Azure Cybersecurity Labs - Final

Are you ready to wrap this up? In Azure Cybersecurity Labs - Final, we will assemble everything and generate a report that can be presented to small to medium-sized businesses on their cloud security posture. First, we are going to analyze the Terraform code with Checkov. So let's do that.

Make a Terraform Directory and Move There

mkdir ~/wrappingup
cd ~/wrappingup

Create main.tf file with VS Code

code main.tf

Paste Code into File, and Save

terraform {
  required_providers {
    azurerm = {
      source = "hashicorp/azurerm"
      version = "3.90.0"
    }
  }
}

provider "azurerm" {
  # Configuration options
  features {
    
  }
}

variable "prefix" {
  default = "tpot"
}

resource "azurerm_resource_group" "tpot-rg" {
  name     = "${var.prefix}-resources"
  location = "East US"
}

resource "azurerm_virtual_network" "main" {
  name                = "${var.prefix}-network"
  address_space       = ["10.0.0.0/16"]
  location            = azurerm_resource_group.tpot-rg.location
  resource_group_name = azurerm_resource_group.tpot-rg.name
}

resource "azurerm_subnet" "internal" {
  name                 = "internal"
  resource_group_name  = azurerm_resource_group.tpot-rg.name
  virtual_network_name = azurerm_virtual_network.main.name
  address_prefixes     = ["10.0.2.0/24"]
}

resource "azurerm_virtual_machine" "main" {
  depends_on = [ azurerm_resource_group.tpot-rg ]
  name                  = "${var.prefix}-vm"
  location              = azurerm_resource_group.tpot-rg.location
  resource_group_name   = azurerm_resource_group.tpot-rg.name
  network_interface_ids = [azurerm_network_interface.tpot-vm-nic.id]
  vm_size               = "Standard_A2m_v2"

  # Uncomment this line to delete the OS disk automatically when deleting the VM
  delete_os_disk_on_termination = true

  # Uncomment this line to delete the data disks automatically when deleting the VM
  delete_data_disks_on_termination = true

  storage_image_reference {
    publisher = "canonical"
    offer     = "ubuntu-24_04-lts"
    sku       = "minimal-gen1"
    version   = "latest"
  }
  storage_os_disk {
    name              = "tpot-disk"
    caching           = "ReadWrite"
    create_option     = "FromImage"
    managed_disk_type = "Standard_LRS"
  }
  os_profile {
    computer_name  = "hostname"
    admin_username = "azureuser"
    admin_password = "CyberNOW!"
  }
  os_profile_linux_config {
    disable_password_authentication = false
  }
}
# Create Security Group to access linux
resource "azurerm_network_security_group" "tpot-nsg" {
  depends_on=[azurerm_resource_group.tpot-rg]
  name                = "linux-vm-nsg"
  location            = azurerm_resource_group.tpot-rg.location
  resource_group_name = azurerm_resource_group.tpot-rg.name
  security_rule {
    name                       = "AllowALL"
    description                = "AllowALL"
    priority                   = 100
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "Tcp"
    source_port_range          = "*"
    destination_port_range     = "*"
    source_address_prefix      = "Internet"
    destination_address_prefix = "*"
  }
  security_rule {
    name                       = "AllowSSH"
    description                = "Allow SSH"
    priority                   = 150
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "Tcp"
    source_port_range          = "*"
    destination_port_range     = "22"
    source_address_prefix      = "Internet"
    destination_address_prefix = "*"
  }
}
# Associate the linux NSG with the subnet
resource "azurerm_subnet_network_security_group_association" "tpot-vm-nsg-association" {
  depends_on=[azurerm_resource_group.tpot-rg]
  subnet_id                 = azurerm_subnet.internal.id
  network_security_group_id = azurerm_network_security_group.tpot-nsg.id
}
# Get a Static Public IP
resource "azurerm_public_ip" "tpot-vm-ip" {
  depends_on=[azurerm_resource_group.tpot-rg]
  name                = "tpot-vm-ip"
  location            = azurerm_resource_group.tpot-rg.location
  resource_group_name = azurerm_resource_group.tpot-rg.name
  allocation_method   = "Static"
}
  # Create Network Card for linux VM
resource "azurerm_network_interface" "tpot-vm-nic" {
  depends_on=[azurerm_resource_group.tpot-rg]
  name                = "tpot-vm-nic"
  location            = azurerm_resource_group.tpot-rg.location
  resource_group_name = azurerm_resource_group.tpot-rg.name
    ip_configuration {
    name                          = "internal"
    subnet_id                     = azurerm_subnet.internal.id
    private_ip_address_allocation = "Dynamic"
    public_ip_address_id          = azurerm_public_ip.tpot-vm-ip.id
  }
}
output "public_ip" {
    value = azurerm_public_ip.tpot-vm-ip.ip_address
  }

Format the file

terraform fmt

Execute Checkov

Make sure you're in the directory that your Terraform is in.

checkov -f main.tf

Results

checkov output — Output from Checkov showing eight passed checks, seven failed checks, and zero skipped checks.

We have seven failed checks. Looking through the list, it warns us about stuff that we have explicitly configured, like ports exposed to the public internet. Since this is the honeypot that we just configured in Azure Cybersecurity Labs - Part Four, we know that this works, and we know that this is how it needs to be configured to work correctly.

So let's go ahead and deploy this to Azure.

Type az login in the terminal to establish your credentials if they aren't cached already.

az login

Initialize the directory

terraform init

Now terraform plan

terraform plan

Note: Take a look at the Terraform Plan and see the 8 resources that we are creating. While not mandatory, it's good practice to 'Terraform Plan' to review your changes BEFORE deploying.

Now terraform apply

terraform apply

Make sure you have previously deleted this project from Azure so that you can deploy it again.

Prowler

Now we're getting into new stuff. Prowler is an open-source security tool to perform AWS, Azure, Google Cloud, and Kubernetes security best practices assessments, audits, incident response, continuous monitoring, hardening, forensics readiness, and remediations! We have Prowler CLI (Command Line Interface), which we call Prowler Open Source.

You can install Prowler using Pip3 like we did with Checkov in Azure Cybersecurity Labs - Part Five. So let's do that.

pip3 install prowler

And then we run Prowler

prowler azure --az-cli-auth

The results are displayed on your screen and also exported to your 'output directory'

prowler's report output — The tool prowler's output shows the failed checks.

I like to view HTML files and use HTML to JPG or HTML to PDF converters online. Our environment is new, so it doesn't have much on here other than turning Microsoft Defender on for our resources, which we do not currently have deployed. Using Prowler is very simple, and the value you add as a freelancer is discerning the results and narrowing them down for the business to what is useful and actionable to them.

Do not just give them this report and be done with it. They will be unhappy. Instead, write specific recommendations in your report with your template, with step-by-step instructions on how to fix each issue that is important to them.

That wraps up the Azure Cybersecurity Labs series, but stick around for one BONUS as we discuss serverless computing.

Unlock the Black Badge

Azure Cybersecurity Labs - Final