Azure ISO 27001-2013 Non-Compliant Resources Report

Exported on 01-Nov-2021 17:16:02

Using Attune to get ISO 27001:2013 Non-Compliance Report for Azure Resources

This Blueprint is used to get Azure Resources that are not compliant with ISO 27001:2013.

ISO 27001 is an international standard on how to manage information security.

The standard was published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

It details the requirements for implementing, maintaining and continually improving an information security management system (ISMS).

Pre-Blueprint Attune setup
  1. On the Inputs tab, create a Windows Node for the host you wish to run this Blueprint.
  2. On the Inputs tab, create a Windows Credentials to connect to the host you wish to run this Blueprint.
  3. On the Inputs tab, create a Text value to store the values below:
    • AzureUserName: This is the Username of the Azure Administrator (DataType: String).
    • AzurePassword: This is the Password of the Azure Administrator (DataType: String).
    • SubscriptionName: This holds an array of Azure Subscriptions (DataType: Array).
    • ResourceIDLocation: TThis holds the location of the policy assignment's resource identity (DataType: String).

SubscriptionName Syntax:

@('Visual Studio Enterprise Subscription','Pay As You Go') 
Blueprint Steps
  1. Check and Install the Azure AzPowerShell Module
  2. Register Microsoft Policy Insights as a Resource Provider
  3. Create ISO 27001:2013 Policy Assignments on Azure
  4. Start Policy Compliance scan on Azure
  5. Get and create Azure ISO 27001:2013 Non-Compliant Resources Report

Parameters

Name Type Script Reference Default Value Comment
Attune Node Windows Server attuneNode This is an Attune Node
Attune Node Credential Windows OS Credential attuneNodeCredential This is an Attune Node Credential
AzurePassword Text azurepassword P@ssW0rd@101 This is the Azure Administrator's Password
AzureSubscription Text azuresubscription @('Visual Studio Enterprise Subscription','Pay As You Go') This is an array that holds the list of Azure Subscriptions
AzureUserName Text azureusername admin@contoso.com This is Azure Administrator's Username
ResourceIDLocation Text resourceidlocation eastus This is the policy assignment's resource identity location

1 - Install Azure Az PowerShell Module

This step installs the Azure Az PowerShell Module

The Blueprint first gets the Execution Policy of the current PowerShell session.

Then, checks if the Execution Policy is set to Unrestricted.

If it's not, it then sets the Execution Policy to Unrestricted for the current session.

Next, it checks if the Az PowerShell module is installed.

If it's not installed, it then goes ahead to install the module.

The connection details have changed from the last step.

Login as user on node

  1. Connect via RDP
    mstsc /admin /v:Attune Node
  2. Login as user {Attune Node Credential}
  3. Then open a command prompt
This is a PowerShell Script make sure you run it with powershell.exe Click start menu, enter "powershell" in the search bar, then select the powersehll program
#Region for ExecutionPolicy
# Get Execution Policy of the current process
$Script:ProcessEP = Get-ExecutionPolicy -Scope Process

#Get the value of the Execution Policy and save it in the Variable
$Script:ValueProcessEP = ($Script:ProcessEP).value__

# Check if the Execution Policy of the process is set to Unrestricted
if ($Script:ValueProcessEP -eq 0) {

    # Write the message
    Write-Output "Execution Policy is already set to Unrestricted for the Process"
# Check if the Execution Policy of the process is already set
}else{

    # Set the ExecutionPolicy of the Process to Unrestricted
    Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force -Confirm:$false

    # Checks if the Execution Policy has been set
    if ((Get-ExecutionPolicy -Scope Process).value__ -eq 0) {

        # Write the message
        Write-Output "Execution Policy is now set to Unrestricted for the Process"
    }
}
#EndRegion for ExecutionPolicy 


#Region Check if Az Module is installed 
#Region if module is installed, update module if version is not up to Version "4.1.13.0"
if($null -ne (Get-InstalledModule -Name Az -ErrorVariable +ErrorAzV -ErrorAction SilentlyContinue)) {

    # Get the  Az module installed and save it in a variable
    $Script:GetAzModule = Get-InstalledModule -Name Az -ErrorVariable +ErrorAzV -ErrorAction SilentlyContinue

    # Writes a message to the screen
    Write-Output "Az PowerShell Module exists ... checking ..."

    # Gets the build number for the  Az Module 
    $Script:AzModuleBuild = ($Script:GetAzModule).Version

    # Checks the build number to meet requirements 
    if($Script:AzModuleBuild -like "*6.3.0*") {

        # Saves and converts Module version name to a variable
        $Script:OutVersion = ((($Script:GetAzModule).Version)).tostring()

        # Writes a message to the screen
        Write-Output "Az Module Version $Script:OutVersion meets the minimum requirement."

    # Check if the build version is on 13
    }else{

        # Writes a message to the screen
        Write-Output "Updating the Az PowerShell Module..."

        # Uppdates the  AzPowerShell Module to the latest version
        Update-Module -Name Az -Confirm:$false -Force 

        # Writes a message to the screen
        Write-Output "Az PowerShell Module is updated :)"
    }
#EndRegion if the module is installed, update module if the version is not up to Version "4.1.13.0"
#Region If the module is not installed, install it 
}else{

    # Writes a message to the screen
    Write-Output "Az PowerShell Module is not installed"
    
    # Writes a message to the screen
    Write-Output "Az PowerShell Module is installing..."

    # Install Az Powershell Module 
    Install-Module -Name Az -MaximumVersion "6.3.0" -Scope "CurrentUser" -AllowClobber:$true -Confirm:$false -Force

    # Writes a message to the screen
    Write-Output "Az PowerShell Module is installed :)"
}
#EndRegion If the module is not installed, install it

2 - Register Azure Resource Provider

This step registers the Azure Resource Provider

Before using a resource provider, an Azure subscription must be registered for the resource provider.

Registration configures the subscription to work with the resource provider.

The Blueprint first gets the Execution Policy of the current PowerShell session.

Then checks if the Execution Policy is set to Unrestricted.

If it's not, it then sets the Execution Policy to Unrestricted for the current session.

Next, the AzPowerShell module is imported to the current session.

Then the values below are set:

  1. UserName: This is the Username of the Azure Administrator corresponding to the AzureUserName set in the Inputs Tab.
  2. PasswordString: This is the Password of the Azure Administrator corresponding to the AzurePassword set in the Inputs Tab.

Next, a connection to Azure is made.

Then it registers Microsoft.PolicyInsights Resource Provider.

Finally, the Azure PowerShell session is disconnected.

This step has the following parameters

Name Script Reference Default Value
AzureUserName {azureusername.value} admin@contoso.com
AzurePassword {azurepassword.value} P@ssW0rd@101

Login as user on node

  1. Connect via RDP
    mstsc /admin /v:Attune Node
  2. Login as user {Attune Node Credential}
  3. Then open a command prompt
This is a PowerShell Script make sure you run it with powershell.exe Click start menu, enter "powershell" in the search bar, then select the powersehll program
#Region for ExecutionPolicy
# Get Execution Policy of the current process
$Script:ProcessEP = Get-ExecutionPolicy -Scope Process

#Get the value of the Execution Policy and save it in the Variable
$Script:ValueProcessEP = ($Script:ProcessEP).value__

# Check if the Execution Policy of the process is set to Unrestricted
if ($Script:ValueProcessEP -eq 0) {

    # Write the message
    Write-Output "Execution Policy is already set to Unrestricted for the Process"
# Check if the Execution Policy of the process is already set
}else{

    # Set the ExecutionPolicy of the Process to Unrestricted
    Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force -Confirm:$false

    # Checks if the Execution Policy has been set
    if ((Get-ExecutionPolicy -Scope Process).value__ -eq 0) {

        # Write the message
        Write-Output "Execution Policy is now set to Unrestricted for the Process"
    }
}
#EndRegion for ExecutionPolicy 


#Region Enable Https for StorageAccounts
# Import Module for Az PowerShell
Import-Module -Name Az


#Region assign variables
# Save accesskey to this Variable
$Script:UserName = "{azureusername.value}"

# Save secretkey to this variable
$Script:PasswordString = "{azurepassword.value}"
#EndRegion assign variables


#Region for Connection to Azure 
# Set the password and convert it to secure string to the variable
$Script:Password = ConvertTo-SecureString $Script:PasswordString -AsPlainText -Force

# set the credentials to the variable
$Script:UserCredential = New-Object System.Management.Automation.PSCredential ($Script:UserName,$Script:Password)

# Connect using set credentials to Azure
Connect-AzAccount -Credential $Script:UserCredential
#EndRegion for Connection to Azure

# Set the Resource Provider's Name
$ResourceProviderName = "Microsoft.PolicyInsights"

# Register the resource provider
Register-AzResourceProvider -ProviderNamespace $ResourceProviderName

#Region Disconnect the Azure session
Disconnect-AzAccount
#EndRegion Disconnect the Azure session

3 - Create Azure ISO 27001-2013 Policy Assignment

This step creates Policy Assignments for ISO 27001:2013 Regulatory Compliance

The Blueprint first gets the Execution Policy of the current PowerShell session.

Then it checks if the Execution Policy is set to Unrestricted.

If it's not, it then sets the Execution Policy to Unrestricted for the current session.

Next, the AzPowerShell module is imported to the current session.

Then the values below are set:

  1. UserName: This is the Username of the Azure Administrator corresponding to the AzureUserName set in the Inputs Tab.
  2. PasswordString: This is the Password of the Azure Administrator corresponding to the AzurePassword set in the Inputs Tab.
  3. SubscriptionName: This holds an array of Azure Subscriptions corresponding to the AzureSubscription set in the Inputs Tab.
  4. ResourceIDLocation: This holds the location of the policy assignment's resource identity corresponding to the ResourceIDLocation set in the Inputs Tab.

Next, a connection to Azure is made.

Then it loops through all Subscriptions on Azure and check their availability.

All Azure Policy Definitions are retrieved for each subscription in Azure.

Then the Policy Definitions are filtered specifically for ISO 27001:2013

New Azure Policy Assignments are created using the filtered Policy Definitions.

Finally, the Azure PowerShell session is disconnected.

This step has the following parameters

Name Script Reference Default Value
AzureSubscription {azuresubscription.value} @('Visual Studio Enterprise Subscription','Pay As You Go')
AzureUserName {azureusername.value} admin@contoso.com
AzurePassword {azurepassword.value} P@ssW0rd@101
ResourceIDLocation {resourceidlocation.value} eastus

Login as user on node

  1. Connect via RDP
    mstsc /admin /v:Attune Node
  2. Login as user {Attune Node Credential}
  3. Then open a command prompt
This is a PowerShell Script make sure you run it with powershell.exe Click start menu, enter "powershell" in the search bar, then select the powersehll program
#Region for ExecutionPolicy
# Get Execution Policy of the current process
$Script:ProcessEP = Get-ExecutionPolicy -Scope Process

#Get the value of the Execution Policy and save it in the Variable
$Script:ValueProcessEP = ($Script:ProcessEP).value__

# Check if the Execution Policy of the process is set to Unrestricted
if ($Script:ValueProcessEP -eq 0) {

    # Write the message
    Write-Output "Execution Policy is already set to Unrestricted for the Process"
# Check if the Execution Policy of the process is already set
}else{

    # Set the ExecutionPolicy of the Process to Unrestricted
    Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force -Confirm:$false

    # Checks if the Execution Policy has been set
    if ((Get-ExecutionPolicy -Scope Process).value__ -eq 0) {

        # Write the message
        Write-Output "Execution Policy is now set to Unrestricted for the Process"
    }
}
#EndRegion for ExecutionPolicy 


#Region Enable Https for StorageAccounts
# Import Module for Az PowerShell
Import-Module -Name Az


#Region assign variables
# Save accesskey to this Variable
$Script:UserName = "{azureusername.value}"

# Save secretkey to this variable
$Script:PasswordString = "{azurepassword.value}"

# Save the name of the Azure Subscription
$Script:SubscriptionName = {azuresubscription.value}

# Save the policy assignment's resource identity location 
$Script:ResourceIDLocation = "{resourceidlocation.value}"
#EndRegion assign variables


#Region for Connection to Azure 
# Set the password and convert it to secure string to the variable
$Script:Password = ConvertTo-SecureString $Script:PasswordString -AsPlainText -Force

# set the credentials to the variable
$Script:UserCredential = New-Object System.Management.Automation.PSCredential ($Script:UserName,$Script:Password)

# Connect using set credentials to Azure
Connect-AzAccount -Credential $Script:UserCredential
#EndRegion for Connection to Azure 

foreach ($item in $Script:SubscriptionName) {

    # Set the Azure Subscription where Policy Assignment is going to take place.
    $Script:Subscription = Get-AzSubscription -SubscriptionName $item -ErrorVariable $ErrorT -ErrorAction "SilentlyContinue"

    if (!($Script:Subscription)) {
        Write-Output "Subscription $item does not exist"
    }else {
        
        # Gets Azure Policy Definitions
        $Script:AllAZPolicies = Get-AzPolicyDefinition -SubscriptionId $Script:Subscription.Id

        #Region Loop through all Azure Policy Definitions
        foreach ($Script:Policy in $Script:AllAZPolicies) {

            # Set the Policy Name
            $Script:PolicyDisplayName = (($Script:Policy).Properties).DisplayName
            if (
                #Region ISO 27001:2013 policy names from - https://docs.microsoft.com/en-us/azure/governance/policy/samples/iso-27001
                $Script:PolicyDisplayName -match 'A maximum of 3 owners should be designated for your subscription'`
                    -or $Script:PolicyDisplayName -match 'There should be more than one owner assigned to your subscription'`
                    -or $Script:PolicyDisplayName -match 'Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity'`
                    -or $Script:PolicyDisplayName -match 'Auditing on SQL server should be enabled'`
                    -or $Script:PolicyDisplayName -match 'Audit Linux machines that allow remote connections from accounts without passwords'`
                    -or $Script:PolicyDisplayName -match 'Audit Linux machines that have accounts without passwords'`
                    -or $Script:PolicyDisplayName -match 'Audit VMs that do not use managed disks'`
                    -or $Script:PolicyDisplayName -match 'Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs'`
                    -or $Script:PolicyDisplayName -match 'Storage accounts should be migrated to new Azure Resource Manager resources'`
                    -or $Script:PolicyDisplayName -match 'Virtual machines should be migrated to new Azure Resource Manager resources'`
                    -or $Script:PolicyDisplayName -match 'An Azure Active Directory administrator should be provisioned for SQL servers'`
                    -or $Script:PolicyDisplayName -match 'Audit usage of custom RBAC rules'`
                    -or $Script:PolicyDisplayName -match 'External accounts with owner permissions should be removed from your subscription'`
                    -or $Script:PolicyDisplayName -match 'External accounts with write permissions should be removed from your subscription'`
                    -or $Script:PolicyDisplayName -match 'MFA should be enabled accounts with write permissions on your subscription'`
                    -or $Script:PolicyDisplayName -match 'MFA should be enabled on accounts with owner permissions on your subscription'`
                    -or $Script:PolicyDisplayName -match 'Service Fabric clusters should only use Azure Active Directory for client authentication'`
                    -or $Script:PolicyDisplayName -match 'API App should only be accessible over HTTPS'`
                    -or $Script:PolicyDisplayName -match 'Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities'`
                    -or $Script:PolicyDisplayName -match 'Audit Linux machines that do not have the passwd file permissions set to 0644'`
                    -or $Script:PolicyDisplayName -match 'Function App should only be accessible over HTTPS'`
                    -or $Script:PolicyDisplayName -match 'MFA should be enabled on accounts with read permissions on your subscription'`
                    -or $Script:PolicyDisplayName -match 'Deprecated accounts should be removed from your subscription'`
                    -or $Script:PolicyDisplayName -match 'Deprecated accounts with owner permissions should be removed from your subscription'`
                    -or $Script:PolicyDisplayName -match 'Web Application should only be accessible over HTTPS'`
                    -or $Script:PolicyDisplayName -match 'Audit Windows machines that allow re-use of the previous 24 passwords'`
                    -or $Script:PolicyDisplayName -match 'Audit Windows machines that do not have a maximum password age of 70 days'`
                    -or $Script:PolicyDisplayName -match 'Audit Windows machines that do not have a minimum password age of 1 day'`
                    -or $Script:PolicyDisplayName -match 'Audit Windows machines that do not have the password complexity setting enabled'`
                    -or $Script:PolicyDisplayName -match 'Audit Windows machines that do not restrict the minimum password length to 14 characters'`
                    -or $Script:PolicyDisplayName -match 'Dependency agent should be enabled for listed virtual machine images'`
                    -or $Script:PolicyDisplayName -match 'Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs'`
                    -or $Script:PolicyDisplayName -match 'Audit Windows machines that do not store passwords using reversible encryption'`
                    -or $Script:PolicyDisplayName -match 'Automation account variables should be encrypted'`
                    -or $Script:PolicyDisplayName -match 'Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign'`
                    -or $Script:PolicyDisplayName -match 'Transparent Data Encryption on SQL databases should be enabled'`
                    -or $Script:PolicyDisplayName -match 'Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources'`
                    -or $Script:PolicyDisplayName -match 'Log Analytics Agent should be enabled for listed virtual machine images'`
                    -or $Script:PolicyDisplayName -match 'Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images'`
                    -or $Script:PolicyDisplayName -match 'Log Analytics agent should be enabled in virtual machine scale sets for listed virtual machine images'`
                    -or $Script:PolicyDisplayName -match 'Adaptive application controls for defining safe applications should be enabled on your machines'`
                    -or $Script:PolicyDisplayName -match 'A vulnerability assessment solution should be enabled on your virtual machines'`
                    -or $Script:PolicyDisplayName -match 'Monitor missing Endpoint Protection in Azure Security Center'`
                    -or $Script:PolicyDisplayName -match 'SQL databases should have vulnerability findings resolved'`
                    -or $Script:PolicyDisplayName -match 'System updates should be installed on your machines'`
                    -or $Script:PolicyDisplayName -match 'Vulnerabilities in security configuration on your machines should be remediated'`
                    -or $Script:PolicyDisplayName -match 'All network ports should be restricted on network security groups associated to your virtual machine'`
                    -or $Script:PolicyDisplayName -match 'Storage accounts should restrict network access'`
                    -or $Script:PolicyDisplayName -match 'Only secure connections to your Azure Cache for Redis should be enabled'`
                    -or $Script:PolicyDisplayName -match 'Secure transfer to storage accounts should be enabled') {
                #EndRegion ISO 27001:2013 policy names from - https://docs.microsoft.com/en-us/azure/governance/policy/samples/iso-27001

                # Create Policy Assignment for ISO 27001:2013
                New-AzPolicyAssignment -Name $Script:Policy.Name -DisplayName $Script:Policy.Properties.DisplayName -Description $Script:Policy.Properties.Description -PolicyDefinition $Script:Policy -Scope "/subscriptions/$($Script:Subscription.Id)"`
                    -Location $Script:ResourceIDLocation -AssignIdentity
            }
        }
        #EndRegion Loop through all Azure Policy Definitions


        # Set all Azure Resources 
        $Script:AzureResources = (Get-AzResource).Name

        # Defining Hash Table for Azure Locations
        $Script:AzureLocations = @{}

        # Adding Locations to HashTable
        $Script:AzureLocations += @{'listOfResourceTypes' = ($Script:AzureResources) }

        # Assigning Policy Definition for "Audit diagnostic setting"
        $Script:AZPolicies = Get-AzPolicyDefinition -Name "7f89b1eb-583c-429a-8828-af049802c1d9"

        # Creating New Assignment Policy
        New-AzPolicyAssignment -Name $Script:AZPolicies.Name -DisplayName $Script:AZPolicies.Properties.DisplayName -Description $Script:AZPolicies.Properties.Description -PolicyDefinition $Script:AZPolicies -Scope "/subscriptions/$($Script:Subscription.Id)"`
            -PolicyParameterObject $Script:AzureLocations
    }

}

#Region Disconnect the Azure session
Disconnect-AzAccount
#EndRegion Disconnect the Azure session

4 - Start Azure Policy Compliance Scan

This step starts a policy compliance evaluation

The Blueprint first gets the Execution Policy of the current PowerShell session.

Then checks if the Execution Policy is set to Unrestricted.

If it's not, it then sets the Execution Policy to Unrestricted for the current session.

Next, the AzPowerShell module is imported to the current session.

Then the values below are set:

  1. UserName: This is the Username of the Azure Administrator corresponding to the AzureUserName set in the Inputs Tab.
  2. PasswordString: This is the Password of the Azure Administrator corresponding to the AzurePassword set in the Inputs Tab.

Next, a connection to Azure is made.

Then starts a policy compliance evaluation for active subscriptions.

All resources within all active subscriptions will have their compliance state evaluated against all assigned policies.

Finally, the Azure PowerShell session is disconnected.

This step has the following parameters

Name Script Reference Default Value
AzureUserName {azureusername.value} admin@contoso.com
AzurePassword {azurepassword.value} P@ssW0rd@101

Login as user on node

  1. Connect via RDP
    mstsc /admin /v:Attune Node
  2. Login as user {Attune Node Credential}
  3. Then open a command prompt
This is a PowerShell Script make sure you run it with powershell.exe Click start menu, enter "powershell" in the search bar, then select the powersehll program
#Region for ExecutionPolicy
# Get Execution Policy of the current process
$Script:ProcessEP = Get-ExecutionPolicy -Scope Process

#Get the value of the Execution Policy and save it in the Variable
$Script:ValueProcessEP = ($Script:ProcessEP).value__

# Check if the Execution Policy of the process is set to Unrestricted
if ($Script:ValueProcessEP -eq 0) {

    # Write the message
    Write-Output "Execution Policy is already set to Unrestricted for the Process"
# Check if the Execution Policy of the process is already set
}else{

    # Set the ExecutionPolicy of the Process to Unrestricted
    Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force -Confirm:$false

    # Checks if the Execution Policy has been set
    if ((Get-ExecutionPolicy -Scope Process).value__ -eq 0) {

        # Write the message
        Write-Output "Execution Policy is now set to Unrestricted for the Process"
    }
}
#EndRegion for ExecutionPolicy 


#Region Enable Https for StorageAccounts
# Import Module for Az PowerShell
Import-Module -Name Az


#Region assign variables
# Save accesskey to this Variable
$Script:UserName = "{azureusername.value}"

# Save secretkey to this variable
$Script:PasswordString = "{azurepassword.value}"
#EndRegion assign variables


#Region for Connection to Azure 
# Set the password and convert it to secure string to the variable
$Script:Password = ConvertTo-SecureString $Script:PasswordString -AsPlainText -Force

# set the credentials to the variable
$Script:UserCredential = New-Object System.Management.Automation.PSCredential ($Script:UserName,$Script:Password)

# Connect using set credentials to Azure
Connect-AzAccount -Credential $Script:UserCredential
#EndRegion for Connection to Azure 


# Starts Azure Policy Compliance Scan
Start-AzPolicyComplianceScan | Wait-Job


#Region Disconnect the Azure session
Disconnect-AzAccount
#EndRegion Disconnect the Azure session

5 - Get Azure ISO 27001-2013 Non-Compliant Resources Report

This step gets the report of Non-Compliant Azure Resources for ISO 27001:2013

The Blueprint first gets the Execution Policy of the current PowerShell session.

Then it checks if the Execution Policy is set to Unrestricted.

If it's not, it then sets the Execution Policy to Unrestricted for the current session.

Next, the AzPowerShell module is imported to the current session.

Then the values below are set:

  1. UserName: This is the Username of the Azure Administrator corresponding to the AzureUserName set in the Inputs Tab.
  2. PasswordString: This is the Password of the Azure Administrator corresponding to the AzurePassword set in the Inputs Tab.
  3. SubscriptionName: This holds an array of Azure Subscriptions corresponding to the AzureSubscription set in the Inputs Tab.

Next, a connection to Azure is made.

Loops through all subscriptions on Azure and check their availability.

Then it retrieves the Policy Assignment for each subscription in Azure.

Also, retrieves the Policy States that are Non-Compliant with ISO 27001:2013 for each subscription.

Then set the file location for the report to the Local Temp folder on the Attune Node.

Run this in PowerShell to get Temp Folder location $env:TEMP.

Loops through all Policy Assignment that are filtered specifically for ISO 27001:2013

Then gets their corresponding Policy States that are Non-Compliant.

It then exports the report to the file location and writes it to the screen.

Finally, the Azure PowerShell session is disconnected.

This step has the following parameters

Name Script Reference Default Value
AzureSubscription {azuresubscription.value} @('Visual Studio Enterprise Subscription','Pay As You Go')
AzureUserName {azureusername.value} admin@contoso.com
AzurePassword {azurepassword.value} P@ssW0rd@101

Login as user on node

  1. Connect via RDP
    mstsc /admin /v:Attune Node
  2. Login as user {Attune Node Credential}
  3. Then open a command prompt
This is a PowerShell Script make sure you run it with powershell.exe Click start menu, enter "powershell" in the search bar, then select the powersehll program
#Region for ExecutionPolicy
# Get Execution Policy of the current process
$Script:ProcessEP = Get-ExecutionPolicy -Scope Process

#Get the value of the Execution Policy and save it in the Variable
$Script:ValueProcessEP = ($Script:ProcessEP).value__

# Check if the Execution Policy of the process is set to Unrestricted
if ($Script:ValueProcessEP -eq 0) {

    # Write the message
    Write-Output "Execution Policy is already set to Unrestricted for the Process"
    # Check if the Execution Policy of the process is already set
}
else {

    # Set the ExecutionPolicy of the Process to Unrestricted
    Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force -Confirm:$false

    # Checks if the Execution Policy has been set
    if ((Get-ExecutionPolicy -Scope Process).value__ -eq 0) {

        # Write the message
        Write-Output "Execution Policy is now set to Unrestricted for the Process"
    }
}
#EndRegion for ExecutionPolicy


#Region Enable Https for StorageAccounts
# Import Module for Az PowerShell
Import-Module -Name Az


#Region assign variables
# Save accesskey to this Variable
$Script:UserName = "{azureusername.value}"

# Save secretkey to this variable
$Script:PasswordString = "{azurepassword.value}"

# Save the name of the Azure Subscription
$Script:SubscriptionName = {azuresubscription.value}
#EndRegion assign variables


#Region for Connection to Azure 
# Set the password and convert it to secure string to the variable
$Script:Password = ConvertTo-SecureString $Script:PasswordString -AsPlainText -Force

# set the credentials to the variable
$Script:UserCredential = New-Object System.Management.Automation.PSCredential ($Script:UserName, $Script:Password)

# Connect using set credentials to Azure
Connect-AzAccount -Credential $Script:UserCredential
#EndRegion for Connection to Azure

foreach ($item in $Script:SubscriptionName) {

    # Set the Azure Subscription where Policy Assignment is going to take place.
    $Script:Subscription = Get-AzSubscription -SubscriptionName $item -ErrorVariable $ErrorT -ErrorAction "SilentlyContinue"

    if (!($Script:Subscription)) {
        Write-Output "Subscription $item does not exist"
    }else {
        
        # Set Variable for Azure Policy Assignment
        $Script:AzPolicyAssignments = Get-AzPolicyAssignment -Scope "/subscriptions/$($Script:Subscription.Id)"

        # Set variable for Azure Policy State and filter non compliant resources
        $Script:AllComplianceStates = Get-AzPolicyState -Filter "ComplianceState eq 'NonCompliant'" -SubscriptionId $Script:Subscription.Id

        # Creating array to store values
        $Script:FinalArray = @()

        # Set File Location to TEMP folder
        $Script:CSVFilePath = $env:TEMP

        # File name for CSV saved in variable
        $Script:CSVFileName = "AZURE-ISO-27001-2013-Non-Compliant-Resources-Report-" + (Get-Date -Format "MM-dd-yyyy-HH-mm") + ".csv"

        # Literal Path saved in variable
        $Script:LiteralPath = $Script:CSVFilePath + "\" + $Script:CSVFileName

        #Region Loop through Azure Policy Assignment
        foreach ($Script:AzPolicyAssignment in $Script:AzPolicyAssignments) {
            # Check if Policies match
            if (
                #Region ISO 27001:2013 policy names from - https://docs.microsoft.com/en-us/azure/governance/policy/samples/iso-27001
                $Script:AzPolicyAssignment.Properties.DisplayName -match 'A maximum of 3 owners should be designated for your subscription'`
                    -or $Script:AzPolicyAssignment.Properties.DisplayName -match 'There should be more than one owner assigned to your subscription'`
                    -or $Script:AzPolicyAssignment.Properties.DisplayName -match 'Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity'`
                    -or $Script:AzPolicyAssignment.Properties.DisplayName -match 'Audit Linux machines that allow remote connections from accounts without passwords'`
                    -or $Script:AzPolicyAssignment.Properties.DisplayName -match 'Audit Linux machines that have accounts without passwords'`
                    -or $Script:AzPolicyAssignment.Properties.DisplayName -match 'Audit VMs that do not use managed disks'`
                    -or $Script:AzPolicyAssignment.Properties.DisplayName -match 'Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs'`
                    -or $Script:AzPolicyAssignment.Properties.DisplayName -match 'Storage accounts should be migrated to new Azure Resource Manager resources'`
                    -or $Script:AzPolicyAssignment.Properties.DisplayName -match 'Virtual machines should be migrated to new Azure Resource Manager resources'`
                    -or $Script:AzPolicyAssignment.Properties.DisplayName -match 'An Azure Active Directory administrator should be provisioned for SQL servers'`
                    -or $Script:AzPolicyAssignment.Properties.DisplayName -match 'Audit usage of custom RBAC rules'`
                    -or $Script:AzPolicyAssignment.Properties.DisplayName -match 'External accounts with owner permissions should be removed from your subscription'`
                    -or $Script:AzPolicyAssignment.Properties.DisplayName -match 'External accounts with write permissions should be removed from your subscription'`
                    -or $Script:AzPolicyAssignment.Properties.DisplayName -match 'MFA should be enabled accounts with write permissions on your subscription'`
                    -or $Script:AzPolicyAssignment.Properties.DisplayName -match 'MFA should be enabled on accounts with owner permissions on your subscription'`
                    -or $Script:AzPolicyAssignment.Properties.DisplayName -match 'Service Fabric clusters should only use Azure Active Directory for client authentication'`
                    -or $Script:AzPolicyAssignment.Properties.DisplayName -match 'Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities'`
                    -or $Script:AzPolicyAssignment.Properties.DisplayName -match 'Audit Linux machines that do not have the passwd file permissions set to 0644'`
                    -or $Script:AzPolicyAssignment.Properties.DisplayName -match 'MFA should be enabled on accounts with read permissions on your subscription'`
                    -or $Script:AzPolicyAssignment.Properties.DisplayName -match 'Deprecated accounts should be removed from your subscription'`
                    -or $Script:AzPolicyAssignment.Properties.DisplayName -match 'Deprecated accounts with owner permissions should be removed from your subscription'`
                    -or $Script:AzPolicyAssignment.Properties.DisplayName -match 'Audit Windows machines that allow re-use of the previous 24 passwords'`
                    -or $Script:AzPolicyAssignment.Properties.DisplayName -match 'Audit Windows machines that do not have a maximum password age of 70 days'`
                    -or $Script:AzPolicyAssignment.Properties.DisplayName -match 'Audit Windows machines that do not have a minimum password age of 1 day'`
                    -or $Script:AzPolicyAssignment.Properties.DisplayName -match 'Audit Windows machines that do not have the password complexity setting enabled'`
                    -or $Script:AzPolicyAssignment.Properties.DisplayName -match 'Audit Windows machines that do not restrict the minimum password length to 14 characters'`
                    -or $Script:AzPolicyAssignment.Properties.DisplayName -match 'Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs'`
                    -or $Script:AzPolicyAssignment.Properties.DisplayName -match 'API App should only be accessible over HTTPS'`
                    -or $Script:AzPolicyAssignment.Properties.DisplayName -match 'Audit Windows machines that do not store passwords using reversible encryption'`
                    -or $Script:AzPolicyAssignment.Properties.DisplayName -match 'Automation account variables should be encrypted'`
                    -or $Script:AzPolicyAssignment.Properties.DisplayName -match 'Function App should only be accessible over HTTPS'`
                    -or $Script:AzPolicyAssignment.Properties.DisplayName -match 'Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign'`
                    -or $Script:AzPolicyAssignment.Properties.DisplayName -match 'Transparent Data Encryption on SQL databases should be enabled'`
                    -or $Script:AzPolicyAssignment.Properties.DisplayName -match 'Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources'`
                    -or $Script:AzPolicyAssignment.Properties.DisplayName -match 'Web Application should only be accessible over HTTPS'`
                    -or $Script:AzPolicyAssignment.Properties.DisplayName -match 'Audit diagnostic setting'`
                    -or $Script:AzPolicyAssignment.Properties.DisplayName -match 'Auditing on SQL server should be enabled'`
                    -or $Script:AzPolicyAssignment.Properties.DisplayName -match 'Dependency agent should be enabled for listed virtual machine images'`
                    -or $Script:AzPolicyAssignment.Properties.DisplayName -match 'Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images'`
                    -or $Script:AzPolicyAssignment.Properties.DisplayName -match 'Log Analytics Agent should be enabled for listed virtual machine images'`
                    -or $Script:AzPolicyAssignment.Properties.DisplayName -match 'Log Analytics agent should be enabled in virtual machine scale sets for listed virtual machine images'`
                    -or $Script:AzPolicyAssignment.Properties.DisplayName -match 'Adaptive application controls for defining safe applications should be enabled on your machines'`
                    -or $Script:AzPolicyAssignment.Properties.DisplayName -match 'A vulnerability assessment solution should be enabled on your virtual machines'`
                    -or $Script:AzPolicyAssignment.Properties.DisplayName -match 'Monitor missing Endpoint Protection in Azure Security Center'`
                    -or $Script:AzPolicyAssignment.Properties.DisplayName -match 'SQL databases should have vulnerability findings resolved'`
                    -or $Script:AzPolicyAssignment.Properties.DisplayName -match 'System updates should be installed on your machines'`
                    -or $Script:AzPolicyAssignment.Properties.DisplayName -match 'Vulnerabilities in security configuration on your machines should be remediated'`
                    -or $Script:AzPolicyAssignment.Properties.DisplayName -match 'All network ports should be restricted on network security groups associated to your virtual machine'`
                    -or $Script:AzPolicyAssignment.Properties.DisplayName -match 'Storage accounts should restrict network access'`
                    -or $Script:AzPolicyAssignment.Properties.DisplayName -match 'Only secure connections to your Azure Cache for Redis should be enabled'`
                    -or $Script:AzPolicyAssignment.Properties.DisplayName -match 'Secure transfer to storage accounts should be enabled'
                #EndRegion ISO 27001:2013 policy names from - https://docs.microsoft.com/en-us/azure/governance/policy/samples/iso-27001
            ) {
                # Set the Policy State Objects
                $Script:PolicyStates = $Script:AllComplianceStates | Where-Object { $_.PolicyDefinitionName -match $Script:AzPolicyAssignment.Name }
            
                #Region Loop through Azure Policy State
                foreach ($Script:PolicyState in $Script:PolicyStates) {
                    # Save the Policy Information in Custom Object 
                    $Script:FinalArray += [PSCustomObject][Ordered]@{
                        "AzPolicyAssignment.Properties.DisplayName" = (($Script:AzPolicyAssignment).Properties).DisplayName
                        "PolicyDefinitionId"                        = ($Script:PolicyState).PolicyDefinitionId
                        "ComplianceState"                           = ($Script:PolicyState).ComplianceState
                        "ResourceId"                                = ($Script:PolicyState).ResourceId
                        "SubscriptionId"                            = ($Script:PolicyState).SubscriptionId
                        "ResourceType"                              = ($Script:PolicyState).ResourceType
                        "ResourceLocation"                          = ($Script:PolicyState).ResourceLocation
                        "ResourceGroup"                             = ($Script:PolicyState).ResourceGroup
                        "ResourceTags"                              = ($Script:PolicyState).ResourceTags
                        "PolicyAssignmentName"                      = ($Script:PolicyState).PolicyAssignmentName
                        "PolicyAssignmentOwner"                     = ($Script:PolicyState).PolicyAssignmentOwner
                        "PolicyAssignmentScope"                     = ($Script:PolicyState).PolicyAssignmentScope
                        "PolicyDefinitionName"                      = ($Script:PolicyState).PolicyDefinitionName
                        "PolicyDefinitionAction"                    = ($Script:PolicyState).PolicyDefinitionAction
                    }
                }
                #EndRegion Loop through Azure Policy State    
            }else {
                # Do nothing
            }
        }
        #EndRegion Loop through Azure Policy Assignment
    }

}

# Export to CSV
$Script:FinalArray | Export-Csv -LiteralPath $Script:LiteralPath -NoTypeInformation -Force

# Write Out the value to the screen
Write-Output $Script:FinalArray

#Region Disconnect the Azure session
Disconnect-AzAccount
#EndRegion Disconnect the Azure session