Azure Introduction
Azure Pricing
Azure Threats
Approved Azure Machine Image In Use
More Info:
Ensure that all the Azure virtual machine (VM) instances necessary for your application stack are launched from an approved base Azure machine image, known as golden machine image, in order to enforce application security best practices, consistency, and save time when scaling your application.
Risk Level
Medium
Address
Security
Compliance Standards
CBP
Triage and Remediation
Remediation
The issue of “Approved Azure Machine Image In Use” occurs when an Azure virtual machine is using an image that is not approved by the organization’s policies. To remediate this issue, follow the steps below:
-
Log in to the Azure portal (https://portal.azure.com/).
-
Go to the virtual machine that is using the unapproved image.
-
Stop the virtual machine.
-
Go to the “Disks” section of the virtual machine.
-
Select the OS disk of the virtual machine.
-
Click on the “Create snapshot” button to create a snapshot of the OS disk.
-
Go to the “Images” section of the Azure portal.
-
Click on the “Add” button to create a new image.
-
Fill in the necessary details for the new image, including the name, description, and the snapshot that was created in step 6.
-
Click on the “Create” button to create the new image.
-
Once the image is created, go back to the virtual machine that was using the unapproved image.
-
Go to the “Configuration” section of the virtual machine.
-
Change the “Image” setting to the new image that was created in step 10.
-
Start the virtual machine.
The virtual machine should now be using the approved image, and the issue of “Approved Azure Machine Image In Use” should be remediated.
To remediate the “Approved Azure Machine Image In Use” misconfiguration in Azure using Azure CLI, you can follow these steps:
-
Identify the virtual machine(s) that are using the unapproved image. You can use the following Azure CLI command to list all the virtual machines in your subscription:
az vm list --query "[].{name:name, image:storageProfile.imageReference}"This command will list all the virtual machines in your subscription along with their image references.
-
Check if any of the virtual machines are using the unapproved image. If you find any, note down their names.
-
Create a new virtual machine using an approved image. You can use the following Azure CLI command to create a new virtual machine:
az vm create --resource-group <resource-group-name> --name <new-vm-name> --image <approved-image-name> --admin-username <admin-username> --admin-password <admin-password> --authentication-type password --size <vm-size> --location <location>Replace the
<resource-group-name>with the name of the resource group where you want to create the new virtual machine. Replace<new-vm-name>with the name you want to give to the new virtual machine. Replace<approved-image-name>with the name of the approved image that you want to use. Replace<admin-username>and<admin-password>with the username and password that you want to use to access the new virtual machine. Replace<vm-size>with the size of the virtual machine that you want to create. Replace<location>with the location where you want to create the new virtual machine. -
Once the new virtual machine is created, you can migrate the data and applications from the old virtual machine to the new one.
-
Once you have migrated all the data and applications, you can stop and delete the old virtual machine. You can use the following Azure CLI commands to stop and delete the old virtual machine:
az vm stop --resource-group <resource-group-name> --name <old-vm-name>az vm delete --resource-group <resource-group-name> --name <old-vm-name> --yesReplace
<resource-group-name>with the name of the resource group where the old virtual machine is located. Replace<old-vm-name>with the name of the old virtual machine that you want to delete. -
Verify that the new virtual machine is working as expected.
To remediate the misconfiguration “Approved Azure Machine Image In Use” in Azure using Python, you can follow the below steps:
- First, you need to identify the virtual machines that are using the unapproved images. You can use the Azure Python SDK to get a list of all virtual machines in your subscription.
from azure.identity import DefaultAzureCredential
from azure.mgmt.compute import ComputeManagementClient
credential = DefaultAzureCredential()
compute_client = ComputeManagementClient(credential, subscription_id)
# Get a list of all virtual machines in the subscription
vms = compute_client.virtual_machines.list_all()
- Next, you need to check the image used by each virtual machine. You can use the
osProfileproperty of the virtual machine to get the image reference.
for vm in vms:
image_reference = vm.storage_profile.image_reference
if image_reference.publisher == 'MicrosoftWindowsServer' and image_reference.offer == 'WindowsServer' and image_reference.sku == '2016-Datacenter':
print(f"VM {vm.name} is using an unapproved image.")
In this example, we are checking if the virtual machine is using the Windows Server 2016 Datacenter image from Microsoft. You can replace this with the approved image reference for your organization.
- Finally, you need to update the virtual machine to use the approved image. You can use the
begin_updatemethod of the virtual machine to update the image reference.
for vm in vms:
image_reference = vm.storage_profile.image_reference
if image_reference.publisher == 'MicrosoftWindowsServer' and image_reference.offer == 'WindowsServer' and image_reference.sku == '2016-Datacenter':
print(f"Updating VM {vm.name}...")
vm.storage_profile.image_reference = {
'publisher': 'Canonical',
'offer': 'UbuntuServer',
'sku': '18.04-LTS',
'version': 'latest'
}
compute_client.virtual_machines.begin_update(resource_group_name, vm.name, vm)
In this example, we are updating the virtual machine to use the latest version of the Ubuntu Server 18.04 LTS image from Canonical. You can replace this with the approved image reference for your organization.
Note: You need to have appropriate permissions to update the virtual machine.