πΌ Management Samenvatting
Deze security regelen is essentieel voor het waarborgen van een veilige cloud omgeving en beschermt tegen ongeautoriseerde toegang en datalekes.
Aanbeveling
OVERWEEG APPROVED IMAGES POLICY
Risico zonder
Medium
Risk Score
6/10
Implementatie
5u (tech: 3u)
Van toepassing op:
β Azure VMs
Zonder deze beveiligingsmaatregel kunnen er significante security risks ontstaan die leiden tot data compromise, compliance overtredingen en reputatieschade voor de organisatie.
PowerShell Modules Vereist
Primary API: Azure API
Connection:
Required Modules: Az.Accounts, Az.Compute
Connection:
Connect-AzAccountRequired Modules: Az.Accounts, Az.Compute
Implementatie
Dit regelen implementeert security best practices via Azure Policy, ARM templates of Microsoft Intune om cloud resources en endpoints te beschermen volgens actuele compliance frameworks.
Vereisten
- Approved image list
- Azure Policy
monitoring
Gebruik PowerShell-script vm-approved-images-only.ps1 (functie Invoke-Monitoring) β Controleren.
Policy compliance voor approved images.
Compliance en Auditing
- BIO 14.02
- ISO 27001:2022 A.8.25
Remediatie
Gebruik PowerShell-script vm-approved-images-only.ps1 (functie Invoke-Remediation) β Herstellen.
Compliance & Frameworks
- BIO: 14.02 - veilige development
- ISO 27001:2022: A.8.25 - veilige development life cycle
Automation
Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).
PowerShell
<#
================================================================================
AZURE POWERSHELL SCRIPT - Nederlandse Baseline voor Veilige Cloud
================================================================================
.SYNOPSIS
VM Approved Images Only
.DESCRIPTION
CIS Azure Foundations Benchmark - Control 7.1
Controleert of alleen goedgekeurde VM images worden gebruikt.
.NOTES
Filename: vm-approved-images-only.ps1
Author: Nederlandse Baseline voor Veilige Cloud
Version: 1.0
CIS Control: 7.1
#>
#Requires -Version 5.1
#Requires -Modules Az.Accounts, Az.Compute
[CmdletBinding()]
param([Parameter()][switch]$Monitoring)
$ErrorActionPreference = 'Stop'
$PolicyName = "VM Approved Images Only"
function Connect-RequiredServices { if (-not (Get-AzContext)) { Connect-AzAccount | Out-Null } }
function Test-Compliance {
$vms = Get-AzVM -ErrorAction SilentlyContinue
$result = @{ TotalVMs = $vms.Count; MarketplaceImages = 0; CustomImages = 0 }
foreach ($vm in $vms) {
if ($vm.StorageProfile.ImageReference.Publisher) {
$result.MarketplaceImages++
}
else {
$result.CustomImages++
}
}
return $result
}
try {
Connect-RequiredServices
if ($Monitoring) {
$r = Test-Compliance
Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host "$PolicyName" -ForegroundColor Cyan
Write-Host "========================================" -ForegroundColor Cyan
Write-Host "Total VMs: $($r.TotalVMs)" -ForegroundColor White
Write-Host "Marketplace Images: $($r.MarketplaceImages)" -ForegroundColor Green
Write-Host "Custom Images: $($r.CustomImages)" -ForegroundColor Yellow
if ($r.CustomImages -gt 0) {
Write-Host "`nβ οΈ Valideer custom images tegen goedgekeurde lijst" -ForegroundColor Yellow
}
}
else {
$r = Test-Compliance
Write-Host "`nVM Images: $($r.MarketplaceImages) marketplace, $($r.CustomImages) custom"
}
}
catch { Write-Error $_; exit 1 }
# ================================================================================
# Standaard Invoke-* Functions (Auto-generated)
# ================================================================================
function Invoke-Implementation {
<#
.SYNOPSIS
Implementeert de configuratie
#>
[CmdletBinding()]
param()
Invoke-Remediation
}
function Invoke-Monitoring {
<#
.SYNOPSIS
Controleert de huidige configuratie status
#>
[CmdletBinding()]
param()
$Monitoring = $true
try {
Connect-RequiredServices
if ($Monitoring) {
$r = Test-Compliance
Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host "$PolicyName" -ForegroundColor Cyan
Write-Host "========================================" -ForegroundColor Cyan
Write-Host "Total VMs: $($r.TotalVMs)" -ForegroundColor White
Write-Host "Marketplace Images: $($r.MarketplaceImages)" -ForegroundColor Green
Write-Host "Custom Images: $($r.CustomImages)" -ForegroundColor Yellow
if ($r.CustomImages -gt 0) {
Write-Host "`nβ οΈ Valideer custom images tegen goedgekeurde lijst" -ForegroundColor Yellow
}
}
else {
$r = Test-Compliance
Write-Host "`nVM Images: $($r.MarketplaceImages) marketplace, $($r.CustomImages) custom"
}
}
catch { Write-Error $_; exit 1 }
}
function Invoke-Remediation {
<#
.SYNOPSIS
Herstelt de configuratie naar de gewenste staat
.DESCRIPTION
Dit is een monitoring-only control, remediation delegeert naar monitoring
#>
[CmdletBinding()]
param()
Write-Host "[INFO] Dit is een monitoring-only control" -ForegroundColor Yellow
Write-Host "[INFO] Running monitoring check..." -ForegroundColor Cyan
Invoke-Monitoring
}
Risico zonder implementatie
Risico zonder implementatie
Medium: Unrestricted image deployment = unpatched/malicious VMs mogelijk. Shadow IT images zonder security hardening. Compliance: governance. Het risico is medium - image governance.
Management Samenvatting
VM Approved Images Only: Azure Policy allow ALLEEN approved VM images (Azure Marketplace verified + custom golden images). Blocks unvetted images. Activatie: Azure Policy β Allowed VM images list. Gratis. Aanbevolen governance. Implementatie: 3-5 uur (image catalog + policy). Centralized VM image control.
- Implementatietijd: 5 uur
- FTE required: 0.05 FTE