feat(new): Added Azure.Redis.EntraID (Azure#2900)

BenjaminEngeset · web-flow · commit 2410600e2e5d · 2024-05-31T01:32:42.000+10:00
* feat(new): Added Azure.Redis.EntraID

* docs: Added link for data access policy
diff --git a/docs/CHANGELOG-v1.md b/docs/CHANGELOG-v1.md
@@ -36,6 +36,9 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers
   - Virtual Machine Scale Sets:
     - Check that automatic instance repairs are enabled by @BenjaminEngeset.
       [#2895](https://github.com/Azure/PSRule.Rules.Azure/issues/2895)
+  - Azure Cache for Redis:
+    - Verify that cache instances have Entra ID authentication enabled by @BenjaminEngeset.
+      [#2899](https://github.com/Azure/PSRule.Rules.Azure/issues/2899)
 
 ## v1.37.0-B0034 (pre-release)
 
diff --git a/docs/en/rules/Azure.Redis.EntraID.md b/docs/en/rules/Azure.Redis.EntraID.md
@@ -0,0 +1,101 @@
+---
+severity: Critical
+pillar: Security
+category: SE:05 Identity and access management
+resource: Azure Cache for Redis
+online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Redis.EntraID/
+---
+
+# Use Entra ID authentication with cache instances
+
+## SYNOPSIS
+
+Use Entra ID authentication with cache instances.
+
+## DESCRIPTION
+
+Azure Cache for Redis provides two authentication methods for accessing cache instances: access keys and Microsoft Entra ID. Entra ID authentication offers centralized identity management and enhanced security features.
+
+Some advantages of using Entra ID authentication over access keys include:
+
+- Support for Azure Multi-Factor Authentication (MFA).
+- Conditional access policies with Conditional Access.
+
+Disabling local authentication methods is not supported. However, regenerating the access keys will invalidate any previously used access keys, rendering them unusable for accessing the cache instance.
+
+See documentation references below for additional limitations and important information.
+
+## RECOMMENDATION
+
+Consider using Entra ID authentication with cache instances.
+
+## EXAMPLES
+
+### Configure with Azure template
+
+To deploy cache instances that pass this rule:
+
+- Set the `properties.redisConfiguration.aad-enabled` to `'True'`.
+
+For example:
+
+```json
+{
+  "type": "Microsoft.Cache/redis",
+  "apiVersion": "2023-08-01",
+  "name": "[parameters('name')]",
+  "location": "[parameters('location')]",
+  "properties": {
+    "minimumTlsVersion": "1.2",
+    "redisVersion": "latest",
+    "sku": {
+      "name": "Premium",
+      "family": "P",
+      "capacity": 1
+    },
+    "redisConfiguration": {
+      "aad-enabled": "True"
+    }
+  }
+}
+```
+
+### Configure with Bicep
+
+To deploy cache instances that pass this rule:
+
+- Set the `properties.redisConfiguration.aad-enabled` to `'True'`.
+
+For example:
+
+```bicep
+resource cache 'Microsoft.Cache/redis@2023-08-01' = {
+  name: name
+  location: location
+  properties: {
+    minimumTlsVersion: '1.2'
+    redisVersion: 'latest'
+    sku: {
+      name: 'Premium'
+      family: 'P'
+      capacity: 1
+    }
+    redisConfiguration: {
+      'aad-enabled': 'True'
+    }
+  }
+}
+```
+
+## NOTES
+
+Microsoft Entra ID based authentication isn't supported in the Enterprise tiers of Azure Cache for Redis Enterprise.
+
+## LINKS
+
+- [SE:05 Identity and access management](https://learn.microsoft.com/azure/well-architected/security/identity-access)
+- [Use Microsoft Entra ID for cache authentication](https://learn.microsoft.com/azure/azure-cache-for-redis/cache-azure-active-directory-for-authentication)
+- [Configure role-based access control with Data Access Policy](https://learn.microsoft.com/azure/azure-cache-for-redis/cache-configure-role-based-access-control)
+- [Azure security baseline for Azure Cache for Redis](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-cache-for-redis-security-baseline)
+- [IM-1: Use centralized identity and authentication system](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-cache-for-redis-security-baseline#im-1-use-centralized-identity-and-authentication-system)
+- [Azure resource deployment](https://learn.microsoft.com/azure/templates/microsoft.cache/redis#rediscommonpropertiesredisconfiguration)
diff --git a/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml
@@ -93,6 +93,26 @@ spec:
     field: properties.publicNetworkAccess
     equals: Disabled
 
+---
+# Synopsis: Use Entra ID authentication with cache instances.
+apiVersion: github.com/microsoft/PSRule/v1
+kind: Rule
+metadata:
+  name: Azure.Redis.EntraID
+  ref: AZR-000427
+  tags:
+    release: GA
+    ruleSet: 2024_06
+    Azure.WAF/pillar: Security
+  labels:
+    Azure.MCSB.v1/control: 'IM-1'
+spec:
+  type:
+    - Microsoft.Cache/Redis
+  condition:
+    field: properties.redisConfiguration.aad-enabled
+    equals: 'True'
+
 #endregion Rules
 
 #region Selectors
diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.Redis.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.Redis.Tests.ps1
@@ -313,6 +313,30 @@ Describe 'Azure.Redis' -Tag 'Redis' {
             $ruleResult.Length | Should -Be 5;
             $ruleResult.TargetName | Should -BeIn 'redis-A', 'redis-B', 'redis-C', 'redis-Q', 'redis-R';
         }
+        
+
+        It 'Azure.Redis.EntraID' {
+            $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.Redis.EntraID' };
+
+            # Fail
+            $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' });
+            $ruleResult.Length | Should -Be 3;
+            $ruleResult.TargetName | Should -BeIn 'redis-A', 'redis-B', 'redis-C';
+
+            $ruleResult[0].Reason | Should -BeExactly "Path properties.redisConfiguration.aad-enabled: The field 'properties.redisConfiguration.aad-enabled' does not exist.";
+            $ruleResult[1].Reason | Should -BeExactly "Path properties.redisConfiguration.aad-enabled: Is set to ''.";
+            $ruleResult[2].Reason | Should -BeExactly "Path properties.redisConfiguration.aad-enabled: Is set to 'False'.";
+
+            # Pass
+            $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' });
+            $ruleResult.Length | Should -Be 9;
+            $ruleResult.TargetName | Should -BeIn 'redis-D', 'redis-E', 'redis-F', 'redis-G', 'redis-H', 'redis-I', 'redis-J', 'redis-Q', 'redis-R';
+
+             # None
+             $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'None' });
+             $ruleResult.Length | Should -Be 7;
+             $ruleResult.TargetName | Should -BeIn 'redis-K', 'redis-L', 'redis-M', 'redis-N', 'redis-O', 'redis-P', 'redis-S';
+        }
     }
 
     Context 'With Configuration Option' -Tag 'Configuration' {
diff --git a/tests/PSRule.Rules.Azure.Tests/Resources.Redis.json b/tests/PSRule.Rules.Azure.Tests/Resources.Redis.json
@@ -60,6 +60,7 @@
       },
       "enableNonSslPort": true,
       "redisConfiguration": {
+        "aad-enabled": null,
         "maxclients": "2000",
         "maxmemory-policy": "volatile-lru"
       },
@@ -225,6 +226,7 @@
         }
       ],
       "redisConfiguration": {
+        "aad-enabled": "False",
         "maxclients": "256",
         "maxmemory-reserved": "2",
         "maxfragmentationmemory-reserved": "12",
@@ -413,6 +415,7 @@
         }
       ],
       "redisConfiguration": {
+        "aad-enabled": "True",
         "maxclients": "1000",
         "maxmemory-reserved": "150",
         "maxfragmentationmemory-reserved": "0",
@@ -577,6 +580,7 @@
       "minimumTlsVersion": "1.2",
       "enableNonSslPort": false,
       "redisConfiguration": {
+        "aad-enabled": "True",
         "maxclients": "2000",
         "maxmemory-policy": "volatile-lru"
       },
@@ -747,6 +751,7 @@
       "publicNetworkAccess": "Disabled",
       "enableNonSslPort": false,
       "redisConfiguration": {
+        "aad-enabled": "True",
         "maxclients": "2000",
         "maxmemory-policy": "volatile-lru"
       },
@@ -780,6 +785,7 @@
       "minimumTlsVersion": "1.2",
       "enableNonSslPort": false,
       "redisConfiguration": {
+        "aad-enabled": "True",
         "maxclients": "2000",
         "maxmemory-policy": "volatile-lru"
       },
@@ -815,6 +821,7 @@
       "minimumTlsVersion": "1.2",
       "enableNonSslPort": false,
       "redisConfiguration": {
+        "aad-enabled": "True",
         "maxclients": "2000",
         "maxmemory-policy": "volatile-lru"
       },
@@ -846,6 +853,7 @@
       "minimumTlsVersion": "1.2",
       "enableNonSslPort": false,
       "redisConfiguration": {
+        "aad-enabled": "True",
         "maxclients": "2000",
         "maxmemory-policy": "volatile-lru"
       },
@@ -877,6 +885,7 @@
       "minimumTlsVersion": "1.2",
       "enableNonSslPort": false,
       "redisConfiguration": {
+        "aad-enabled": "True",
         "maxclients": "2000",
         "maxmemory-policy": "volatile-lru"
       },
@@ -1044,6 +1053,7 @@
       "minimumTlsVersion": "1.2",
       "publicNetworkAccess": "Enabled",
       "redisConfiguration": {
+        "aad-enabled": "True",
         "maxclients": "256",
         "maxmemory-reserved": "30",
         "maxfragmentationmemory-reserved": "30",
@@ -1085,6 +1095,7 @@
       "minimumTlsVersion": "1.2",
       "publicNetworkAccess": "Enabled",
       "redisConfiguration": {
+        "aad-enabled": "True",
         "maxclients": "256",
         "maxmemory-reserved": "30",
         "maxfragmentationmemory-reserved": "30",
