Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.
"supportsHttpsTrafficOnly": "false"
param location string = resourceGroup().location
resource example 'Microsoft.ContainerService/managedClusters@2020-02-01' = {
name: 'TestCluster'
location: location
properties: {
...
servicePrincipalProfile: {
clientId: '422313d8-123a-41ea-8f8e-90821ff61c05'
secret: 'xxxxxxxxxxxxxxxxx'
}
}
}
{
"name": "TestCluster",
"type": "Microsoft.ContainerService/managedClusters",
"apiVersion": "2020-02-01",
"location": "[resourceGroup().location]",
"properties": {
...
"servicePrincipalProfile": {
"clientId": "422313d8-123a-41ea-8f8e-90821ff61c05",
"secret": "xxxxxxxxxxxxxxxxx"
},
}
}
resource example 'Microsoft.Web/sites/config@2022-09-01' = {
...
properties: {
...
remoteDebuggingEnabled: true
}
}
{
...
"type": "Microsoft.Web/sites/config",
"properties":
{
...
"remoteDebuggingEnabled": true,
}
}
publicAccess
property set to Container
. This allows anonymous access to all of the container's blobs and data.
param storageAccountName string
param containerName string
resource example 'Microsoft.Storage/storageAccounts/blobServices/containers@2021-04-01' = {
name: '${storageAccountName}/default/${containerName}'
...
properties: {
...
publicAccess: 'Container'
}
}
publicAccess
property set to Container
. This allows anonymous access to all of the Container's blobs and data.
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2021-04-01",
"name": "[format('{0}/default/{1}', parameters('storageAccountName'), parameters('containerName'))]",
"properties":{
"publicAccess": "Container"
}
,
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
]
}
publicNetworkAccess
and making no IP restrictions.Example 2: The following example template defines an Azure Container Registry with unrestricted network access by specifying a broad allow list for the
resource example 'Microsoft.ContainerRegistry/registries@2022-12-01' = {
...
properties: {
...
publicNetworkAccess: 'Enabled'
}
}
networkRuleSet
property.
resource example 'Microsoft.ContainerRegistry/registries@2022-12-01' = {
...
properties: {
...
publicNetworkAccess: 'Enabled'
networkRuleSet: {
defaultAction: 'Allow'
ipRules: [
{
action: 'Allow'
value: '*'
}
]
}
}
}
publicNetworkAccess
and making no IP restrictions.Example 2: The following example template defines an Azure Container Registry with unrestricted network access by specifying a broad allow list for the
{
"name": "[variables('acrName')]",
"type": "Microsoft.ContainerRegistry/registries",
...
"properties": {
"publicNetworkAccess": "Enabled",
..
}
networkRuleSet
property.
{
"name": "[variables('acrName')]",
"type": "Microsoft.ContainerRegistry/registries",
...
"properties": {
"publicNetworkAccess": "Enabled",
"networkRuleSet":
{
"defaultAction": "Allow",
"ipRules":[{
"action": "Allow",
"value": "*"
}]
}
...
}
Example 2: The following example template defines an overly permissive CORS policy for an Azure web application.
resource example 'Microsoft.SignalRService/SignalR@2022-02-01' = {
...
properties: {
...
cors: {
...
allowedOrigins: [ '*' ]
}
}
}
Example 3: The following example template defines an overly permissive CORS policy for an Azure Maps account.
resource example 'Microsoft.Web/sites@2020-12-01' = {
...
properties: {
...
siteConfig: {
...
cors: {
...
allowedOrigins: [ '*' ]
}
}
}
}
Example 4: The following example template defines an overly permissive CORS policy for an Azure Cosmos DB account.
resource example 'Microsoft.Maps/accounts@2021-12-01-preview' = {
...
properties: {
...
cors: {
corsRules: [
{
allowedOrigins: [ '*' ]
}
]
}
}
}
Example 5: The following example template defines an overly permissive CORS policy for an Azure storage blob service.
resource example 'Microsoft.DocumentDB/databaseAccounts@2023-04-15' = {
...
properties: {
...
cors: [
{
...
allowedOrigins: '*'
}
]
}
}
resource example 'Microsoft.Storage/storageAccounts/blobServices@2021-09-01' = {
...
properties: {
...
cors: {
corsRules: [
{
...
allowedOrigins: [ '*' ]
}
]
}
}
}
Example 2: The following example template defines an overly permissive CORS policy for an Azure web application.
{
...
"type": "Microsoft.SignalRService/SignalR",
...
"properties": {
...
"cors": {
"allowedOrigins": ["*"]
},
...
}
Example 3: The following example template defines an overly permissive CORS policy for an Azure Maps account.
{
"apiVersion": "2020-12-01",
"type": "Microsoft.Web/sites",
...
"properties": {
...
"siteConfig": {
...
"cors": {
"allowedOrigins": [
"*"
]
},
...
}
Example 4: The following example template defines an overly permissive CORS policy for an Azure Cosmos DB account.
{
"apiVersion": "2021-12-01-preview",
"type": "Microsoft.Maps/accounts",
...
"properties":{
"cors":{
"allowedOrigins": ["*"]
}
},
...
}
Example 5: The following example template defines an overly permissive CORS policy for an Azure storage blob service.
{
"type": "Microsoft.DocumentDB/databaseAccounts",
...
"properties": {
"cors": [{
"allowedOrigins":"*"
}],
...
}
{
"type": "Microsoft.Storage/storageAccounts/blobServices",
...
"properties": {
"cors": {
"corsRules": [
{
"allowedOrigins":["*"],
...
}
]
}
}
...
}
publicNetworkAccess
property is set to Enabled
and the IP address range includes all IPs.
resource example 'Microsoft.DocumentDB/databaseAccounts@2021-04-15' = {
...
properties: {
...
publicNetworkAccess: 'Enabled'
ipRules: [
{
ipAddressOrRange: '0.0.0.0'
}
]
}
}
publicNetworkAccess
property is set to Enabled
and the IP address range includes all IPs.
{
"type": "Microsoft.DocumentDB/databaseAccounts",
"apiVersion": "2021-04-15",
...
"properties": {
...
"publicNetworkAccess": "Enabled",
"ipRules":[{
"ipAddressOrRange": "0.0.0.0"
}]
...
}