Enable Just-In-Time VM Access On Virtual Machines With Workflow Automation In Azure Security Center

9 min read

Updated: Azure Security Center – Workflow Automation is now GA!

Introduction

The most frequent attack that we see today is attack on RDP/SSH management port (the brute force attack), and Microsoft provides you with capability that you don’t need to have these ports open even for legitimate administrative purposes, with Azure Security Center you can only make these ports available for administration purposes for your virtual machines only when they are required.

Azure Security Center (ASC) has two mains value proposition:

  1. Cloud Security Posture Management (CSPM) – Help you prevent misconfiguration to strengthen your security posture for all different types of cloud workloads and resources in Azure (IaaS, PaaS, and SaaS).
  2. Cloud Workload Protection Platform (CWPP) – Protect against threats for servers whether they are running in Azure, on-premises or in different clouds such as Amazon AWS or Google GCP, in additional to cloud-native workloads such as Web Apps, Kubernetes, Key Vaults, as well as for SQL databases (PaaS/VM) and storage accounts.

Just-in-Time VM Access is one of many features that is included in Azure Security Center that falls under the Cloud Security Posture Management (CSPM) which is something you must consider for your virtual machines with public access. You can specify rules for how users can connect to the virtual machines. When needed, access can be requested from Azure Security Center in the Azure Portal or via PowerShell. As long as the request complies with the rules, access is automatically granted for the requested time only.

Workflow automation is a new feature in Azure Security Center in public (preview) as of this writing which can be used to automatically trigger Logic Apps based on security alerts and recommendations. Recommendations in Azure Security Center are actions for you to take in order to secure your resources. This basically entails whenever new services or resources are created in Azure, Azure Security Center will assign a security score and recommendations.

Let’s take the following scenario, suppose a new person creates a virtual machine with a public IP address on Azure but assigns a very low network security group rules exposing the VM to security risks. Azure Security Center will flag the VM for recommendations and also assign a security score to your overall security posture, so based on this recommendation, you can leverage workflow automation to automatically trigger a Logic App and enable Just-in-Time VM access to remediate that alert and strengthen your security posture.

In this article, I will show you how to create Workflow automation with Logic App to automatically solve the “Just-In-Time network access control should be applied on virtual machine” recommendation in Azure Security Center.

Prerequisites

To follow this article, you need to have the following:

  1. Azure Logic App with a managed identity system assigned enabled.
  2. Assign the needed permissions only on the subscription level as documented here following the least privilege approach. You can find more details on how to create a custom RBAC role for JIT in this document.
    • On the scope of a subscription or resource group that is associated with the VM: Microsoft.Security/locations/jitNetworkAccessPolicies/write
    • On the scope of a subscription or resource group of VM: Microsoft.Compute/virtualMachines/write
  3. Azure Security Center – Standard Tier enabled on the desired subscription.
  4. Workflow automation.
  5. Create a new Azure VM.

Azure Logic App

Logic Apps is a service within Azure that you can use to automate, orchestrate, and integrate disparate components of a distributed application. By using the design-first approach in Logic Apps, you can draw out complex workflows that model complex business processes.

The great thing about using Logic App is you can trigger automatically a workflow process based on Azure Security Center recommendations or threat alerts without having to write code or complex rules. If you are new to Azure Logic App, I highly recommend checking the quick start guide from Microsoft here.

The good news is, Microsoft has already published on GitHub a Logic App sample playbook that will run once per day and find all Security Score recommendations for JIT VM Access across all your Azure subscriptions and then create an access policy for each VM.

However, in this article, I will show you how to create a Logic App that will run only when Azure Security Center fire-up a new recommendation for “Just-In-Time network access control should be applied on virtual machine“.

Launch the Azure Portal and create the Logic App as follows:

  1. Click All services found in the upper left-hand corner. In the list of resources, type Logic Apps. As you begin typing, the list filters based on your input. Select Logic Apps.
  2. Click Create logic app. Select the desired Subscription, create or select an existing Resource group, give the Logic App a name, select the desired Azure Location. You can also enable the Log Analytics option to send diagnostics logs which can be useful if you want to get an alert when automation fails within Logic App. In this example, I will leave it Off.
  3. Once the Logic App is created, click Go to resource where we will implement the Trigger portion to get started.
  4. The Logic Apps designer will open with some prebuilt templates to choose from, you need to scroll down just a bit and choose a Blank Logic App.
  5. Once selected, you will see a blank canvas where you can create the desired automation workflow. To get started, you need to define a trigger, since this will be from Azure Security Center Recommendation, we need to start typing Azure Security Center in Search connectors and triggers, then choose “When an Azure Security Center Recommendation is created or triggered” as shown below. Then click the Save button on the left-hand side.

Please note that we are not done yet, we will come back to this Logic App after we create a few more things.

Azure Security Center – Workflow Automation

As mentioned earlier, Workflow automation is a new feature introduced in Azure Security Center that you can leverage to automate recommendations and threat detection. If you are familiar with the previous feature known as (Playbook) where you could only Trigger Logic App manually when a threat is detected as shown below. Workflow automation expands on this with added functionalities, this is a huge undertaking by the Azure Security Center team to automate and remediate security alerts and recommendations.

To create workflow automation in Azure Security Center, you need to take the following steps:

  1. Within Azure Security Center, click on the new blade named Workflow automation as shown below.
  2. In the new blade, click + Add workflow automation.
  3. In the Add workflow automation blade, you need to fill the following details:
    • Name: Give the Workflow automation a distinct name without space.
    • Subscription: Choose the desired Subscription in which the Workflow automation will be deployed.
    • Resource group: Choose the resource group in which the Workflow automation will be stored.
    • Select Security Center data types: Choose Security Center recommendations.
    • Recommendation name: Choose Just-In-Time network access control should be applied on virtual machines.
    • Recommendation state: Choose Unhealthy.
    • Logic App name: Choose the Logic App name that we created in the previous section. Note that next to the Logic App name, you can see (Security Center recommendations connector). This is important since we are using the Azure Security Center connector to connect Logic App and Azure Security Center recommendations.
  4. Finally, click the Create button to create the link between Logic App and Azure Security Center.

Create an Azure VM

Next, we need to create an Azure VM, so we can test against it and define the Logic App with further input to auto remediate when someone creates a new VM with public management ports widely open.

Creating a VM in the Azure Portal is a straightforward process.

Once the VM is deployed, you will notice that the network rules deployed without Just-In-Time VM access turned, and all the management ports (RDP/SSH) are widely open to welcome the attacker :-)

Typically within an hour, Azure Security Center will update the security resource health, recommendations, and secure score. Azure Security Center will find a new recommendation for that VM under the Secure management ports section. In my example, I waited nearly 21 minutes for the recommendation to show up.

Once Azure Security Center adds the recommendation for the new VM, the workflow automation and Logic App will successfully run. You can see this under the Logic App history.

Update the Logic App

As mentioned earlier, we need to update the Logic App with additional details to apply the Just-In-Time VM access policy.

Back to the Logic App designer, we will need to create an Action of the Azure Security Center recommendations trigger. Take the following steps:

  1. In the overview page, click Edit and then select + New Step.
  2. In the Choose an action window, type HTTP and then select HTTP as an action. In this step, we will query the VM using the REST API to get its location.
  3. In the Method select GET.
  4. In URI field type the following: https://management.azure.com/subscriptions/@{first(skip(split(triggerBody()?[‘properties’]?[‘resourceDetails’]?[‘id’], ‘/’), 2))}/resourceGroups/@{first(skip(split(triggerBody()?[‘properties’]?[‘resourceDetails’]?[‘id’], ‘/’), 4))}/providers/Microsoft.Compute/virtualMachines/@{first(skip(split(triggerBody()?[‘properties’]?[‘resourceDetails’]?[‘id’], ‘/’), 8))}?api-version=2019-07-01
  5. Click Add new parameter and then select Authentication.
  6. In the Authentication type choose Managed Identity.
  7. Under Managed Identity choose System Assigned Managed Identity.
  8. Here how it looks the first HTTP request.
  9. Next, you need to add a new step. In the Choose an action window, type Data Operations and then select Parse JSON as an action. In this step, we will get the body output received from the previous step.
  10. In the Content, click and select Body. In the Schema section, you need to add the schema for the JSON that we received from the previous step, I won’t paste the Schema here since it’s long. You can download the entire template at the end of this article on GitHub.
  11. Here is how it looks at the Parse JSON step.
  12. Lastly, we need to apply the JIT Network Access Policy. You need to add a new step as HTTP with HTTP as an action.
  13. In the Method select PUT instead of GET.
  14. In URI field type the following: https://management.azure.com/subscriptions/@{first(skip(split(triggerBody()?[‘properties’]?[‘resourceDetails’]?[‘id’], ‘/’), 2))}/resourceGroups/@{first(skip(split(triggerBody()?[‘properties’]?[‘resourceDetails’]?[‘id’], ‘/’), 4))}/providers/Microsoft.Security/locations/@{body(‘Parse_JSON’)[‘location’]}/jitNetworkAccessPolicies/@{first(skip(split(triggerBody()?[‘properties’]?[‘resourceDetails’]?[‘id’], ‘/’), 8))}JITPolicy?api-version=2015-06-01-preview
  15. In the Body section, we need to add the JIT network access policy. In this example, I will enable and create access policy for ports 22 and 3389 for maximum 3 hours. You can modify it as needed. I won’t paste the Body here since it’s long. You can download the entire template at the end of this article on GitHub.
  16. Click Add new parameter and then select Authentication.
  17. In the Authentication type choose Managed Identity.
  18. Under Managed Identity choose System Assigned Managed Identity.
  19. Here how it looks at the final HTTP put method.
  20. Finally, click the Save button on the left-hand side.

Here is how it looks at the final Logic App designer.

Test the Logic App

Now we can go back to the Logic App Runs history and then click the Resubmit button to kick off the test. Also, be sure to refresh the run’s history so you can see the results.

If everything works as expected, you should have a successful Logic App history. You can switch back to the VM Networking blade and see the SecurityCenter-JITRule with the lowest priority with Deny action.

You can go back to Azure Security Center and see the VM is listed as configured and protected with Just in time VM access.

Where can I download this template

This template is available on my GitHub repository. You can download it from here. You can import it directly to Azure and it will create the Logic App with all details as described in this article.

I am planning to improve this Logic App in the future. If you have any feedback or changes that everyone should receive, please feel free to update the source code and create a pull request.

Summary

Just-in-time VM access is a great feature in Azure Security Center since network administrators don’t need to go and change the Network Security Group (NSG) settings each and every time, and when you deploy a new virtual machine with public access and management ports open, the automation workflow will kick-in to make sure that Just-In-Time network access is applied on the virtual machine which can help you to protect your workloads from unauthorized access and increase your security posture. Additionally, if someone removes the JIT network access for this VM, Azure Security Center will fire the recommendation again, then the workflow automation will kick-in and secure the VM.

Workflow automation in Azure Security Center creates a lot of potential here, you can’t imagine how much you can automate and build multiple workflows to respond to an incident.

Please note that Just-in-time VM access will incur additional charges to your Azure subscription as it is part of the Azure Security Center Standard Pricing Tier. For more information on the Azure Security Center pricing Tier’s, please check the following document from Microsoft.

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

About Charbel Nemnom 535 Articles
Charbel Nemnom is a Cloud Architect, ICT Security Expert and Microsoft Most Valuable Professional (MVP), totally fan of the latest's IT platform solutions, accomplished hands-on technical professional with over 17 years of broad IT Infrastructure experience serving on and guiding technical teams to optimize the performance of mission-critical enterprise systems. Excellent communicator is adept at identifying business needs and bridging the gap between functional groups and technology to foster targeted and innovative IT project development. Well respected by peers through demonstrating passion for technology and performance improvement. Extensive practical knowledge of complex systems builds, network design, business continuity, and cloud security.

Be the first to comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.