Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/epomatti/az-vm-jit

Azure Virtual Machine (VM) with Just-in-Time access
https://github.com/epomatti/az-vm-jit

azure azure-pim azure-security defender jit just-in-time microsoft-defender pim privileged-access-management terraform vmaccess

Last synced: 18 days ago
JSON representation

Azure Virtual Machine (VM) with Just-in-Time access

Host: GitHub
URL: https://github.com/epomatti/az-vm-jit
Owner: epomatti
License: mit
Created: 2023-11-12T16:44:17.000Z (about 1 year ago)
Default Branch: main
Last Pushed: 2024-11-24T00:50:58.000Z (2 months ago)
Last Synced: 2024-11-24T01:21:35.095Z (2 months ago)
Topics: azure, azure-pim, azure-security, defender, jit, just-in-time, microsoft-defender, pim, privileged-access-management, terraform, vmaccess
Language: HCL
Homepage:
Size: 126 KB
Stars: 0
Watchers: 2
Forks: 1
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# Azure VM JIT access

Azure Virtual Machine (VM) with Just-in-Time access.

You'll need to enable [Microsoft Defender for Servers][1] for the Subscription.

> [!TIP]
> Entra ID P2 license is also required for PIM

Make sure you enable **Cloud Workload Protection (CWP)** for **Servers**. After that, install the agents using the Portal just for completeness.

Create the `.auto.tfvars` file and set the required parameters:

```sh
cp config/template.tfvars .auto.tfvars
```

Create the temporary keys:

```sh
mkdir .keys && ssh-keygen -f .keys/temp_rsa
```

Start by creating the sandbox infrastructure:

```sh
terraform init
terraform apply -auto-approve
```

> [!TIP]
> If you get the error `'LinuxJITPolicy' is not onboarded to Defender For Servers offering.`, add the server to Defender and apply again to finish the setup.

## JIT

If everything goes right, the JIT policy will automatically be created to the VM by the Terraform `AzApi` provider.

Permissions required are:

- `Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action`
- `Microsoft.Compute/virtualMachines/read`

To be able to login with Entra ID credentials, users must have one of:

- `Virtual Machine Administrator Login`
- `Virtual Machine User Login`

Defender should have created the following `Deny` rule:

Now request your JIT access.

Defender should create the following `Allow` rule:

## `VMAccess` extension

It is possible to extend VM management capabilities using the [VMAccess extension][2].

To install the extension using Terraform:

```sh
# VMAccess
install_vmaccess_extension = true
```

To check for deployed extensions and the installation status:

```sh
az vm extension list \
--resource-group \
--vm-name -o table
```

---

### Clean-up

Don't forget to disable Microsoft Defender if you're only testing.

Destroy the infrastructure:

```sh
terraform destroy -auto-approve
```

[1]: https://learn.microsoft.com/en-us/azure/defender-for-cloud/tutorial-enable-servers-plan
[2]: https://github.com/Azure/azure-linux-extensions/tree/master/VMAccess