-1

I would like my company to use ARM templates deployed by a VSTS Release Pipeline to allow developers to define resources that will be deployed to a subscription owned by our OPs team at our company to ensure that developers don't have production access to these resources per PCI DSS 6.4.2.

However, it has come to our attention that the "Microsoft.SQL/server" template allows the administrator's username and password to be set as well as the firewall settings. This would allow a developer to hard-code a password and open a port allowing them to directly access any SQL Server. 

    {
        "name": "creditcardinfo",
        "type": "Microsoft.Sql/servers",
        "apiVersion": "2014-04-01",
        "location": "[resourceGroup().location]",
        "properties": {
            "administratorLogin": "maliciousDev",
            "administratorLoginPassword": "HardCodedPassword",
            "version": "12.0"
        }
    }

We could add a script to our VSTS Pipeline blacklisting the setting of this property, but there's now a concern that there may be other ways a developer could access production resources through other ARM Templates.

Is there a way developers can use ARM templates with confidence that access can't be granted using these templates for any Azure Resources or will we have to come up with an alternate solution?

jt000
  • 3,196
  • 1
  • 18
  • 36

1 Answers1

0

Just create a separate repo for those and you're good.

And there's no "defence" from someone editing the ARM Template. There are endless possibilities to edit the template to get access to resources.

4c74356b41
  • 69,186
  • 6
  • 100
  • 141