Azure Security & Compliance Audit Report

โ˜๏ธ Azure Security & Compliance Audit Report #

Author: Piotr Klepuszewski
Title: Cybersecurity Auditor & Red Team Specialist
Company: Cyber Sentinel Solutions Ltd.
Client: [REDACTED]
Period of Audit: Q2 2025
Status: Final Assessment Report

๐Ÿ“‘ Executive Summary #

This report presents a comprehensive security and compliance audit of the Microsoft Azure environment for [Client]. The audit covers critical domains including Identity and Access Management (IAM), Network Security (VNet, NSG, Firewalls), Data Protection (Blob Storage, Azure SQL), PaaS configuration (App Services, Functions), Kubernetes (AKS), as well as Logging, Monitoring, and compliance with international standards such as ISO/IEC 27001, NIST SP 800-53, and the CIS Azure Foundations Benchmark.

This document outlines the step-by-step audit plan, real-world findings from our case study, tactical tools utilized, and strategic recommendations for hardening the cloud posture.

๐Ÿ› ๏ธ 1. Audit Planning & Scope #

Scope: The audit encompassed the entire Azure infrastructure, spanning multiple subscriptions (Dev/Test, Production across multiple regions), as well as key PaaS and IaaS services.

Audit Plan Steps: #

  1. Resource Inventory: Utilizing Azure Resource Graph and PowerShell to generate a complete asset list (VMs, Storage, DBs, AKS).
  2. Compliance Requirement Mapping: Mapping ISO 27001 and NIST 800-53 controls to specific Azure mechanisms using Azure Policy and the Regulatory Compliance dashboard.
  3. Tool Selection: Integrating native Azure security features with advanced auditing frameworks.
# Tactical Toolkit [Azure Audit & Discovery]
equipment:
  - platform: "Microsoft Entra ID (Azure AD)"
    use: "Identity and access governance review."
  - tool: "Microsoft Defender for Cloud"
    use: "Security posture assessment and compliance reporting."
  - tool: "ScoutSuite (SDR Framework)"
    use: "Automated scanning for cloud misconfigurations and CIS violations."
  - engine: "Azure Resource Graph"
    use: "Complex querying of resource configurations at scale."

๐Ÿ”‘ 2. Identity and Access Management (IAM) #

Scope: Reviewing Microsoft Entra ID (Azure AD) to ensure the Principle of Least Privilege (PoLP) and robust authentication.

Key Findings: #

  • [01] Admin Account Separation: Audits revealed 5 Global Administrators using their privileged accounts for daily tasks (email/web). Recommendation: Enforce dedicated “Admin-only” accounts without email access to mitigate phishing risks.
  • [02] MFA Enforcement: While an MFA policy existed, 8 users (including 1 Admin) had no configured MFA methods. Action: Mandatory enrollment in Microsoft Authenticator or FIDO2 keys.
  • [03] Privileged Identity Management (PIM): Discovered stagnant “Owner” roles on test subscriptions. Action: Implementation of Just-In-Time (JIT) access via PIM to reduce the attack window.
  • [04] App Registrations: Several Service Principals held ‘Contributor’ rights over entire subscriptions. Action: Migrate to Managed Identities with resource-group level scoping.

๐ŸŒ 3. Network & Perimeter Security #

Scope: Assessment of VNets, NSGs, and perimeter protection (Firewalls, DDoS, WAF).

Key Findings: #

  • [05] Hub-and-Spoke Integrity: The architecture correctly segregates zones, but the management subnet lacked strict isolation.
  • [06] NSG Misconfiguration: Found a test NSG allowing SSH (Port 22) from 0.0.0.0/0. Action: Immediate restriction to admin IPs and implementation of Azure Bastion.
  • [07] Egress Filtering: Azure Firewall is utilized in the Hub, but FQDN filtering was missing for several application subnets.
  • [08] Private Access: Production Storage and SQL databases correctly utilize Private Endpoints, effectively removing them from the public internet.

๐Ÿ’พ 4. Data & Storage Security (Blob, Azure SQL) #

Scope: Evaluating encryption at rest, in transit, and backup resilience.

Key Findings: #

  • [09] Encryption at Rest: All accounts use platform-managed encryption. Recommendation: Implement Customer-Managed Keys (CMK) in Key Vault for highly sensitive financial data.
  • [10] SAS Token Risks: Identified an active Shared Access Signature (SAS) token with no expiry date. Action: Immediate revocation and shift toward Azure AD-based access for storage.
  • [11] Backup Isolation: Recovery Services Vaults have Soft Delete enabled, protecting against ransomware-driven deletion. Action: Increased DB backup frequency from weekly to daily.

โš™๏ธ 5. PaaS Service Security (App Services, Functions) #

Scope: Security configuration of serverless and platform-based application hosting.

Key Findings: #

  • [12] Secure Transport: “HTTPS Only” and TLS 1.2 were strictly enforced across all App Services.
  • [13] Secret Management: Identified an API key stored in plaintext within an Azure Function configuration. Action: Migration of all secrets to Azure Key Vault References.
  • [14] Authentication: One internal Function App relied solely on Function Keys. Action: Enforce Easy Auth (App Service Authentication) with Entra ID.

โ˜ธ๏ธ 6. Azure Kubernetes Service (AKS) #

Scope: Cluster security, RBAC, and container image integrity.

Key Findings: #

  • [15] Private Cluster: The API server is correctly configured without a public IP, accessible only via peered VNets.
  • [16] Network Policies: Implemented Calico Network Policies to restrict pod-to-pod communication (micro-segmentation).
  • [17] Image Scanning: Integration with Azure Container Registry (ACR) scanning identified outdated OpenSSL libraries in 2 images.
  • [18] Admission Control: Deployed Azure Policy for Kubernetes to prevent the deployment of privileged containers.

๐Ÿšจ 7. Logging, Monitoring & Incident Response #

Scope: SIEM integration, log coverage, and threat detection.

Key Findings: #

  • [19] Log Centralization: Activity and Diagnostic logs are correctly streaming to a central Log Analytics Workspace.
  • [20] SIEM/SOAR: Microsoft Sentinel is active. During an audit drill, Sentinel successfully alerted on a “high-priority” login attempt from a non-standard geographic location.
  • [21] Secure Score: The current environment score is 72%. Implementing the remediation of MFA and NSG gaps will increase this to >80%.

Compliance Dashboard

๐Ÿ›ก๏ธ 8. Compliance with Global Standards #

The audit validated the environment against three primary frameworks:

  1. ISO/IEC 27001: Achieved high technical compliance; identified gaps in “Continuous DR Testing” and “Cloud-specific IR Playbooks.”
  2. CIS Azure Benchmark: ~90% of controls met. Remaining gaps involve long-standing Storage Access Keys (moving toward Entra ID).
  3. NIST SP 800-53: Mapped technical controls to NIST families (AC, SC, SI). The environment demonstrates maturity in continuous monitoring.

๐Ÿš€ Strategic Recommendations #

  1. Shift to Zero Trust: Move toward Passwordless authentication and expand the use of PIM for all subscription-level roles.
  2. Infrastructure as Code (IaC): Use Terraform or Bicep modules with pre-hardened security configurations to prevent “configuration drift.”
  3. Automated Remediation: Implement Azure Policy “Deny” effects for critical non-compliant settings (e.g., blocking Storage Accounts without encryption).
  4. Purple Teaming: Conduct bi-annual attack simulations to tune Sentinel alert rules and improve “Time to Respond.”
  5. Disaster Recovery: Perform a full geographic failover exercise at least once per year to validate ISO 27001 A.17 requirements.

โญ Auditorโ€™s Conclusion #

The Azure environment at [Client] exhibits a strong security foundation. Most critical vulnerabilities discovered during the audit (e.g., open SSH, hardcoded secrets) were remediated immediately. By treating compliance as a continuous process and embracing DevSecOps principles, the organization is well-prepared for formal ISO certification and resilient against modern cloud threats.

# AUDIT SIGN-OFF
Signed by:
[+] Piotr Klepuszewski  | Cybersecurity Auditor & Cloud Security Consultant
Entity: Cyber Sentinel Solutions Ltd.
Location: Bristol, United Kingdom