Azure · BernieWhite · Nov 2, 2023 · Oct 28, 2023 · Oct 31, 2023
@@ -5,7 +5,7 @@
     "description": "Azure rule documentation",
     "body": [
       "---",
-      "reviewed: 2022-mm-dd",
+      "reviewed: 2023-mm-dd",
       "severity: ${4:severity}",
       "pillar: ${5:pillar}",
       "category: ${6:category}",

@@ -31,6 +31,9 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers
 What's changed since v1.30.3:
 
 - New rules:
+  - Deployment:
+    - Check parameters potentially containing secure values by @BernieWhite.
+      [#1476](https://github.com/Azure/PSRule.Rules.Azure/issues/1476)
   - Machine Learning:
     - Check compute instances are configured for an idle shutdown by @batemansogq.
       [#2484](https://github.com/Azure/PSRule.Rules.Azure/issues/2484)

@@ -0,0 +1,94 @@
+---
+reviewed: 2023-10-25
+severity: Critical
+pillar: Security
+category: Infrastructure provisioning
+resource: Deployment
+online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Deployment.SecureParameter/
+---
+
+# Use secure parameters for sensitive information
+
+## SYNOPSIS
+
+Use secure parameters for any parameter that contains sensitive information.
+
+## DESCRIPTION
+
+Azure Bicep and Azure Resource Manager (ARM) templates can be used to deploy resources to Azure.
+When deploying Azure resources, sensitive values such as passwords, certificates, and keys should be passed as secure parameters.
+Secure parameters use the `secureString` or `secureObject` type.
+
+Parameters that do not use secure types are recorded in logs and deployment history.
+These values can be retrieved by anyone with access to the deployment history.
+
+## RECOMMENDATION
+
+Consider using secure parameters for parameters that contain sensitive information.
+
+## EXAMPLES
+
+### Configure with Azure template
+
+To configure deployments that pass this rule:
+
+- Set the type of sensitive parameters to `secureString` or `secureObject`.
+
+For example:
+
+```json
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "secret": {
+      "type": "secureString"
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.KeyVault/vaults/secrets",
+      "apiVersion": "2022-07-01",
+      "name": "keyvault/good",
+      "properties": {
+        "value": "[parameters('secret')]"
+      }
+    }
+  ]
+}
+```
+
+### Configure with Bicep
+
+To configure deployments that pass this rule:
+
+- Add the `@secure()` attribute on sensitive parameters.
+
+For example:
+
+```bicep
+@secure()
+param secret string
+
+resource goodSecret 'Microsoft.KeyVault/vaults/secrets@2022-07-01' = {
+  parent: vault
+  name: 'good'
+  properties: {
+    value: secret
+  }
+}
+```
+
+## NOTES
+
+This rule uses a heuristics to determine if a parameter should use a secure type:
+
+- Any parameter with a name containing `password`, `secret`, or `token` will be considered sensitive.
+- Any parameter with a name ending in `key` or `keys` will be considered sensitive.
+- Any parameter with a name ending in `publickey` or `publickeys` will not be considered sensitive.
+
+## LINKS
+
+- [Infrastructure provisioning considerations in Azure](https://learn.microsoft.com/azure/architecture/framework/security/deploy-infrastructure)
+- [Use Azure Key Vault to pass secure parameter value during Bicep deployment](https://learn.microsoft.com/azure/azure-resource-manager/bicep/key-vault-parameter)
+- [Integrate Azure Key Vault in your ARM template deployment](https://learn.microsoft.com/azure/azure-resource-manager/templates/template-tutorial-use-key-vault#edit-the-parameters-file)
@@ -106,4 +106,5 @@
     SubStorageSensitiveDataThreatDetection = "The Microsoft Defender for Storage plan should have sensitive data threat detection configured."
     ResStorageSensitiveDataThreatDetection = "The storage account '{0}' should have sensitive data threat detection in Microsoft Defender for Storage configured."
     ResAPIDefender = "The API '{0}' should be onboarded to Microsoft Defender for APIs."
+    InsecureParameterType = "The parameter '{0}' with type '{1}' is not secure."
 }
@@ -17,6 +17,11 @@ Rule 'Azure.Deployment.AdminUsername' -Ref 'AZR-000284' -Type 'Microsoft.Resourc
     RecurseDeploymentSensitive -Deployment $TargetObject
 }
 
+# Synopsis: Use secure parameters for any parameter that contains sensitive information.
+Rule 'Azure.Deployment.SecureParameter' -Ref 'AZR-000408' -Type 'Microsoft.Resources/deployments' -Tag @{ release = 'GA'; ruleSet = '2023_12'; 'Azure.WAF/pillar' = 'Security'; } {
+    GetSecureParameter -Deployment $TargetObject
+}
+
 # Synopsis: Use secure parameters for setting properties of resources that contain sensitive information.
 Rule 'Azure.Deployment.SecureValue' -Ref 'AZR-000316' -Type 'Microsoft.Resources/deployments' -Tag @{ release = 'GA'; ruleSet = '2022_12'; 'Azure.WAF/pillar' = 'Security'; } {
     RecurseSecureValue -Deployment $TargetObject
@@ -51,6 +56,38 @@ Rule 'Azure.Deployment.OuterSecret' -Ref 'AZR-000331' -Type 'Microsoft.Resources
 
 #region Helpers
 
+function global:GetSecureParameter {
+    param (
+        [Parameter(Mandatory = $True)]
+        [PSObject]$Deployment
+    )
+    process {
+        $count = 0;
+        if ($Null -ne $Deployment.properties.template.parameters.PSObject.properties) {
+            foreach ($parameter in $Deployment.properties.template.parameters.PSObject.properties.GetEnumerator()) {
+                if (
+                    $Assert.Like($parameter, 'Name', @(
+                        '*password*'
+                        '*secret*'
+                        '*token*'
+                        '*key'
+                        '*keys'
+                    )).Result -and
+                    $parameter.Name -notlike '*publickey' -and
+                    $parameter.Name -notlike '*publickeys' -and
+                    $Null -ne $parameter.Value.type
+                ) {
+                    $count++
+                    $Assert.In($parameter.Value.type, '.', @('secureString', 'secureObject')).ReasonFrom($parameter.Name, $LocalizedData.InsecureParameterType, $parameter.Name, $parameter.Value.type);
+                }
+            }
+        }
+        if ($count -eq 0) {
+            return $Assert.Pass();
+        }
+    }
+}
+
 function global:RecurseDeploymentSensitive {
     param (
         [Parameter(Mandatory = $True)]
@@ -285,6 +322,7 @@ function global:RecurseSecureValue {
                 'Microsoft.Network/Connections' {
                     CheckPropertyUsesSecureParameter -Resource $resource -SecureParameters $secureParameters -PropertyPath "properties.virtualNetworkGateway1.properties.vpnClientConfiguration.radiusServerSecret"
                     CheckPropertyUsesSecureParameter -Resource $resource -SecureParameters $secureParameters -PropertyPath "properties.virtualNetworkGateway2.properties.vpnClientConfiguration.radiusServerSecret"
+                    CheckPropertyUsesSecureParameter -Resource $resource -SecureParameters $secureParameters -PropertyPath "properties.sharedKey"
                 }
                 'Microsoft.Network/VirtualNetworkGateways' {
                     CheckPropertyUsesSecureParameter -Resource $resource -SecureParameters $secureParameters -PropertyPath "properties.vpnClientConfiguration.radiusServerSecret"

@@ -78,6 +78,36 @@ Describe 'Azure.Deployment' -Tag 'Deployment' {
     }
 }
 
+Describe 'Azure.Deployment' -Tag 'Deployment' {
+    Context 'Conditions' {
+        BeforeAll {
+            $invokeParams = @{
+                Baseline = 'Azure.All'
+                Module = 'PSRule.Rules.Azure'
+                WarningAction = 'SilentlyContinue'
+                ErrorAction = 'Stop'
+            }
+        }
+
+        It 'Azure.Deployment.SecureParameter' {
+            $sourcePath = Join-Path -Path $here -ChildPath 'Resources.Deployments.json';
+            $result = Invoke-PSRule @invokeParams -InputPath $sourcePath -Name 'Azure.Deployment.SecureParameter';
+            $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.Deployment.SecureParameter' };
+
+            # Fail
+            $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' });
+            $ruleResult | Should -Not -BeNullOrEmpty;
+            # $ruleResult.Length | Should -Be 2;
+            $ruleResult.TargetName | Should -BeIn 'nestedDeployment-I';
+
+            # Pass
+            $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' });
+            $ruleResult | Should -Not -BeNullOrEmpty;
+            # $ruleResult.Length | Should -Be 1;
+            $ruleResult.TargetName | Should -BeIn 'nestedDeployment-A', 'nestedDeployment-B', 'nestedDeployment-C', 'nestedDeployment-D', 'nestedDeployment-E', 'nestedDeployment-F', 'nestedDeployment-G', 'nestedDeployment-H', 'nestedDeployment-J';
+        }
+    }
+}
 
 Describe 'Azure.Deployment.AdminUsername' -Tag 'Deployment' {
     Context 'Conditions' {
@@ -104,8 +134,8 @@ Describe 'Azure.Deployment.AdminUsername' -Tag 'Deployment' {
              # Pass
              $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' });
              $ruleResult | Should -Not -BeNullOrEmpty;
-             $ruleResult.Length | Should -Be 5;
-             $ruleResult.TargetName | Should -BeIn 'nestedDeployment-B', 'nestedDeployment-C', 'nestedDeployment-F', 'nestedDeployment-G', 'nestedDeployment-H';
+             $ruleResult.Length | Should -Be 7;
+             $ruleResult.TargetName | Should -BeIn 'nestedDeployment-B', 'nestedDeployment-C', 'nestedDeployment-F', 'nestedDeployment-G', 'nestedDeployment-H', 'nestedDeployment-I', 'nestedDeployment-J';
         }
     }