Azure Automation account is not configured with managed identity
Description
This policy is checking if an Azure automation account is configured with managed identity. Azure automation account enables managing Azure resources. If not handled with managed identities, it can pose a significant security risk as it reduces the control and security boundary around the resources. Not using managed identity can lead to human errors, non-compliance to security standards, or exposure of sensitive data or resources. Therefore, it's bad to run an Azure automation account without configuring a managed identity. An identity should be assigned to limit the exposure and increase the security of Azure resources.
Code Example
resource "azurerm_automation_account" "example" {
name = "example-automation-account"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
sku_name = "Basic"
identity {
type = "SystemAssigned"
}
}Remediation
Terraform
- Resource: azurerm_automation_account
- Arguments: identity.type
To fix the issue, you need to enable the managed identity feature for the Azure Automation Account in your Terraform code. Specify 'identity' block with type 'SystemAssigned' in your 'azurerm_automation_account' resource as below:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0793 |
| Severity | INFO |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV2_AZURE_36 |