Ensure App Service Authentication is set up for apps in Azure App Service - FunctionApp

Ensure that Function App Service Authentication feature is enabled for Microsoft Azure App Service to add an extra layer of security to the authentication process implemented by your Fuction apps.

Risk Level: High
Cloud Entity: Azure functions
CloudGuard Rule ID: D9.AZU.IAM.14
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

FunctionApp should have isAuthenticateOn=true

REMEDIATION

From Portal

  1. Go to 'Function Apps' from Azure Management console and choose your function App.
  2. Under 'Settings, select 'Authentication' on the navigation menu.
  3. If you are using the 'classic Authenticaiton experience':
    3.1 Set 'App Service Authentication' to 'Enabled'.
    3.2 Save.
  4. Else:
    4.1 Press 'Add identity provider'.
  5. Configure new identity provider.

Note: By default, App Service Authentication feature is disabled when a new Function app is created using the Azure Command Line Interface (CLI) or Azure Management Console.

From TF
Set the 'enabled' argument under 'auth_settings' to 'true':

resource 'azurerm_function_app' 'example' {
	..
	auth_settings {
		..
		enabled = true
		..
	}
	..
}

Note: additional identity provider configurations are needed when using TF / command line remediation, see documentation.

From Command Line
Run

az webapp auth update --resource-group RESOURCEGROUPNAME --name FUNCTIONAPPNAME --enabled true

Note: There is no auth command available specific to Function apps (this is a known issue),however app services auth command works fine with the function app.

References

  1. https://docs.microsoft.com/en-us/azure/app-service/overview-authentication-authorization
  2. https://docs.microsoft.com/en-us/cli/azure/webapp/auth?view=azure-cli-latest#az_webapp_auth_update
  3. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#auth_settings

Azure functions

Azure Functions is a serverless solution that allows you to write less code, maintain less infrastructure, and save on costs. Instead of worrying about deploying and maintaining servers, the cloud infrastructure provides all the up-to-date resources needed to keep your applications running.

Compliance Frameworks

  • AZU PCI-DSS 4.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CloudGuard Best Practices
  • Azure ITSG-33
  • Azure NIST 800-53 Rev 5
  • Azure Security Risk Management
  • CloudGuard Azure All Rules Ruleset