Managed identity should be used in your Function App

Use a managed identity for enhanced authentication security

Risk Level: Low
Cloud Entity: Azure functions
CloudGuard Rule ID: D9.AZU.IAM.10
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

FunctionApp should have inner.identityStatus=true

REMEDIATION

From Portal

  1. Sign in to the Azure portal at https://portal.azure.com/.
  2. Go to 'Function App' and choose your Function App.
  3. Under 'Settings, select 'Identity' on the navigation menu.
  4. On the 'Identity' panel, select 'On' for the status configuration settings.
  5. Click Save.

From TF
Set the 'type' argument under 'identity' to 'SystemAssigned':

resource 'azurerm_function_app' 'example' {
	..
	identity {
		..
		type= 'SystemAssigned'
		..
	}
	..
}

From Command Line
Run

az functionapp identity assign --resource-group RESOURCEGROUP --name FUNCTIONAPP

References

  1. https://learn.microsoft.com/en-us/cli/azure/functionapp/identity?view=azure-cli-latest#az-functionapp-identity-assign
  2. https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp
  3. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#identity

Azure functions

Azure Functions is a serverless solution that allows you to write less code, maintain less infrastructure, and save on costs. Instead of worrying about deploying and maintaining servers, the cloud infrastructure provides all the up-to-date resources needed to keep your applications running.

Compliance Frameworks

  • Azure CloudGuard Best Practices
  • Azure ITSG-33
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset
  • Microsoft Cloud Security Benchmark