More Info:

Ensure that your Microsoft Azure virtual machines (VMs) have system-assigned managed identities enabled in order to allow secure virtual machine access to Azure resources such as key vaults and storage accounts.

Risk Level

Medium

Address

Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

Sure, here are the step-by-step instructions to remediate the misconfiguration of enabling System-Assigned Managed Identities in Azure using the Azure console:
  1. Log in to the Azure portal (https://portal.azure.com/).
  2. Navigate to the resource group that contains the misconfigured resource.
  3. Select the resource that needs to have the System-Assigned Managed Identity enabled.
  4. In the left-hand menu, under the Settings section, select Identity.
  5. In the Identity blade, set the System Assigned Managed Identity toggle to On.
  6. Click Save to save the changes.
After completing these steps, the System-Assigned Managed Identity will be enabled for the selected resource. Please note that not all resources support System-Assigned Managed Identities, so it’s important to check the documentation to ensure that the resource you’re working with supports this feature.

To remediate the misconfiguration of not having System-Assigned Managed Identities enabled in Azure using Azure CLI, you can follow these steps:
  1. Open Azure CLI and log in to your Azure account using the command: 
    az login
  2. Once you are logged in, set the subscription to the one that contains the resource group where the misconfiguration needs to be remediated using the command: 
    az account set --subscription <subscription_id>
  3. Identify the resource group where the misconfiguration needs to be remediated using the command: 
    az group list
  4. Once you have identified the resource group, enable System-Assigned Managed Identities for the resource group using the command: 
    az identity create --resource-group <resource_group_name> --name <managed_identity_name>
    Replace <resource_group_name> with the name of the resource group where the misconfiguration needs to be remediated and <managed_identity_name> with the name you want to give to the managed identity.
  5. Once the managed identity is created, assign the managed identity to the Azure resource that needs to access Azure services using the command: 
    az resource update --ids <resource_id> --set identity.type='SystemAssigned'
    Replace <resource_id> with the ID of the Azure resource that needs to access Azure services.
  6. Verify that the System-Assigned Managed Identity has been enabled by running the command: 
    az resource show --ids <resource_id> --query identity
    This command should return the identity details of the Azure resource, including the System-Assigned Managed Identity.
By following these steps, you will have successfully remediated the misconfiguration of not having System-Assigned Managed Identities enabled in Azure using Azure CLI.
To remediate the misconfiguration “Enable System-Assigned Managed Identities” in Azure using Python, you can follow the below steps:
  1. Install the Azure SDK for Python using the following command: 
    pip install azure
  2. Import the required modules in your Python script: 
    from azure.mgmt.compute import ComputeManagementClient
from azure.identity import DefaultAzureCredential
  3. Set the credentials for authentication using the DefaultAzureCredential class: 
    credential = DefaultAzureCredential()
  4. Create an instance of the ComputeManagementClient class using the credentials and the Azure subscription ID: 
    compute_client = ComputeManagementClient(credential, subscription_id)
  5. Get the details of the virtual machine that needs to be remediated using the get method of the VirtualMachinesOperations class: 
    vm = compute_client.virtual_machines.get(resource_group_name, vm_name)
  6. Enable the system-assigned managed identity for the virtual machine using the update method of the VirtualMachinesOperations class: 
    vm.identity = {"type": "SystemAssigned"}
compute_client.virtual_machines.update(resource_group_name, vm_name, vm)
  7. Save the changes and exit the script.
The above steps will enable the system-assigned managed identity for the specified virtual machine in Azure.