Ensure managed identity is used in Azure Windows Function App

LOW

Description

Azure Function App identities can be managed by Azure so that administrators do not have access to individual credentials. To learn more about managed identities, see the Azure documentation.
References:
https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp

Remediation

In Azure Console -

Open the Azure Portal and go to Function App.
Choose the Function App you wish to edit.
Under Settings, select Identity.
On the System assigned tab, set Status to On and add permissions as needed.

In Terraform -

In the azurerm_windows_function_app resource, create an identity block.
Set identity.type to SystemAssigned.
Set identity_ids to the list of ids to use.

References:
https://learn.microsoft.com/en-us/azure/azure-functions/
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/windows_function_app#identity

Policy Details

Rule Reference ID: AC_AZURE_0117

CSP: Azure

Remediation Available: Yes

Domain: Identity and Access Management

Resource: azurerm_windows_function_app

Resource Category: Serverless

Resource Type: Function App

Frameworks

GDPR
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF
ISO-27001
SOC2
NY-DFS