BIO 09.04.01

Beheerde Identiteiten Design

πŸ“… 2025-10-30
β€’
⏱️ 6 minuten lezen
β€’
🟒 Should-Have

πŸ’Ό Management Samenvatting

beheerde identiteiten elimineren secrets in applicatiecode door Azure-resources automatisch te authenticeren met Azure AD.

Aanbeveling
IMPLEMENTEER MANAGED IDENTITIES
Risico zonder
Medium
Risk Score
6/10
Implementatie
12u (tech: 8u)
Van toepassing op:
βœ“ Azure
βœ“ Workload Identity

Service principals met secrets/certificaatn in code zijn security risk (credential leakage, rotation complexity). beheerde identiteiten bieden automatische credential management zonder secrets in code.

PowerShell Modules Vereist
Primary API: Azure Resource Manager
Connection: Connect-AzAccount
Required Modules: Az.Accounts, Az.ManagedServiceIdentity

Implementatie

System-assigned (1:1 met resource, auto-cleanup) of User-assigned (herbruikbaar). Voor Azure resources (VMs, Functions, Logic Apps) toegang tot Azure services (Key Vault, opslag, SQL) zonder credentials in config.

Vereisten

  1. Azure subscription
  2. Resources die beheerde identiteit ondersteunen
  3. RBAC rollen voor identity assignment

Implementatie

Gebruik PowerShell-script managed-identities.ps1 (functie Invoke-Remediation) – beheerde identiteit deployment.

  1. Schakel in system-assigned voor dedicated resources
  2. Maak aan user-assigned voor shared scenarios
  3. Assign RBAC machtigingen (least privilege)
  4. Update app code: gebruik DefaultAzureCredential

Monitoring

Gebruik PowerShell-script managed-identities.ps1 (functie Invoke-Monitoring) – Controleren.

  1. Identity usage in Azure AD logs
  2. RBAC assignment reviews
  3. No service principal secrets deployed

Compliance en Auditing

  1. BIO 09.04 - credential management
  2. ISO 27001 A.9.3 - System en application Toegangscontrole en authenticatie

Remediatie

Gebruik PowerShell-script managed-identities.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Managed Identities Design .DESCRIPTION Implementation for Managed Identities Design .NOTES Filename: managed-identities.ps1 Author: Nederlandse Baseline voor Veilige Cloud Version: 1.0 Related JSON: content/design/identity/managed-identities.json #> #Requires -Version 5.1 #Requires -Modules Microsoft.Graph [CmdletBinding()] param( [Parameter()][switch]$WhatIf, [Parameter()][switch]$Monitoring, [Parameter()][switch]$Remediation, [Parameter()][switch]$Revert ) $ErrorActionPreference = 'Stop' $VerbosePreference = 'Continue' $PolicyName = "Managed Identities Design" $BIOControl = "9.04" function Connect-RequiredServices { # Connection logic based on API } function Test-Compliance { Write-Verbose "Testing compliance for: $PolicyName..." $result = [PSCustomObject]@{ ScriptName = "managed-identities" PolicyName = $PolicyName IsCompliant = $false TotalResources = 0 CompliantCount = 0 NonCompliantCount = 0 Details = @() Recommendations = @() } # Compliance check implementation # Based on: Design Document $result.Details += "Compliance check - implementation required based on control" $result.NonCompliantCount = 1 return $result } function Invoke-Remediation { Write-Host "`nApplying remediation for: $PolicyName..." -ForegroundColor Cyan # Remediation implementation Write-Host " Configuration applied" -ForegroundColor Green Write-Host "`n[OK] Remediation completed" -ForegroundColor Green } function Invoke-Monitoring { $result = Test-Compliance Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "$PolicyName" -ForegroundColor Cyan Write-Host "========================================" -ForegroundColor Cyan Write-Host "Total: $($result.TotalResources)" -ForegroundColor White Write-Host "Compliant: $($result.CompliantCount)" -ForegroundColor Green $color = if ($result.NonCompliantCount -gt 0) { "Red" } else { "Green" } Write-Host "Non-compliant: $($result.NonCompliantCount)" -ForegroundColor $color return $result } function Invoke-Revert { Write-Host "Revert: Configuration revert not yet implemented" -ForegroundColor Yellow } try { Connect-RequiredServices if ($Monitoring) { Invoke-Monitoring } elseif ($Remediation) { if ($WhatIf) { Write-Host "WhatIf: Would apply remediation" -ForegroundColor Yellow } else { Invoke-Remediation } } elseif ($Revert) { Invoke-Revert } else { $result = Test-Compliance if ($result.IsCompliant) { Write-Host "`n[OK] COMPLIANT" -ForegroundColor Green } else { Write-Host "`n[FAIL] NON-COMPLIANT" -ForegroundColor Red } } } catch { Write-Error $_ }

Risico zonder implementatie

Risico zonder implementatie
Medium: Service principal secrets = credential sprawl, leakage risk (secrets in code/config files), manual rotation overhead, long-lived credentials. Managed Identities eliminates. Compliance: Zero Trust. Het risico is HOOG - credential management.

Management Samenvatting

Managed Identities Design: Replace service principal secrets met system-assigned/user-assigned managed identities (Azure resources authenticate WITHOUT credentials). Automatic credential rotation, no secrets in code/config, Azure-only (not external). Activatie: Resource β†’ Identity β†’ System-assigned: On + RBAC assignments. Gratis. Verplicht Zero Trust. Implementatie: 8-12 uur (per application migration). Eliminates credential management - modern Azure authentication.