Detections
Analytics

Ensure Azure RBAC (role-based access control) is used to control access to resources for Azure Function App

MEDIUM

Description

Avoiding Azure RBAC (role-based access control) in Azure Function App may lead to lower degree of control over assets.

Remediation

In Azure Console -

  1. Open the Azure Portal and go to Function App.
  2. Choose the Function you wish to edit.
  3. Under Settings, select Authentication.
  4. Select Add identity provider and follow the prompts to add an authentication provider.
  5. Use either built-in roles or configure as needed.
    Note: It is recommended to use Microsoft as the provider and Azure AD as the method.

In Terraform -
For Azure Provider versions prior to v4.x (deprecated in favor of azurerm_linux_function_app and azurerm_windows_function_app resources):

  1. In the azurerm_function_app resource, configure the auth_settings block accordingly.
  2. It is recommended to configure with the nested active_directory block for Role-Based access.

References:
https://learn.microsoft.com/en-us/azure/azure-functions/security-concepts
https://learn.microsoft.com/en-us/azure/role-based-access-control/overview
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#auth_settings

Policy Details

Rule Reference ID: AC_AZURE_0175
CSP: Azure
Remediation Available: No
Domain: Identity and Access Management
Resource: azurerm_function_app
Resource Category: Serverless
Resource Type: Function App

Frameworks