Disabling certificate-based authentication can reduce an organization’s ability to react against attacks on its critical functions and data.
Azure offers various authentication options to access resources: Anonymous connections, Basic authentication, password-based authentication, and
certificate-based authentication.
Choosing certificate-based authentication helps bring client/host trust by allowing the host to verify the client and vice versa. It cannot be
forged or forwarded by a man-in-the-middle eavesdropper, and the certificate’s private key is never sent over the network so it’s harder to steal than
a password.
In case of a security incident, certificates help bring investigators traceability and allow security operations teams to react faster. For
example, all compromised certificates could be revoked individually, or an issuing certificate could be revoked which causes all the certificates it
issued to become untrusted.
Ask Yourself Whether
- This Azure resource is essential for the information system infrastructure.
- This Azure resource is essential for mission-critical functions.
- Compliance policies require access to this resource to be authenticated with certificates.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
Enable certificate-based authentication.
Sensitive Code Example
For Linux and Windows Web Apps:
resource "azurerm_linux_web_app" "example" {
client_cert_enabled = false # Sensitive
}
resource "azurerm_linux_web_app" "example2" {
client_certificate_enabled = true
client_certificate_mode = "Optional" # Sensitive
}
For Logic App Standards and Function Apps:
resource "azurerm_function_app" "example" {
client_cert_mode = "Optional" # Sensitive
}
For Data Factory Linked Services:
resource "azurerm_data_factory_linked_service_web" "example" {
authentication_type = "Basic" # Sensitive
}
For API Management:
resource "azurerm_api_management" "example" {
sku_name = "Consumption_1"
client_certificate_mode = "Optional" # Sensitive
}
For App Service:
resource "azurerm_app_service" "example" {
client_cert_enabled = false # Sensitive
}
Compliant Solution
For Linux and Windows Web Apps:
resource "azurerm_linux_web_app" "example" {
client_certificate_enabled = true
client_certificate_mode = "Required"
}
For Logic App Standards and Function Apps:
resource "azurerm_function_app" "example" {
client_cert_mode = "Required"
}
For Data Factory Linked Services:
resource "azurerm_data_factory_linked_service_web" "example" {
authentication_type = "ClientCertificate"
}
For API Management:
resource "azurerm_api_management" "example" {
sku_name = "Consumption_1"
client_certificate_mode = "Required"
}
For App Service:
resource "azurerm_app_service" "example" {
client_cert_enabled = true
}
See
