Administrator Username Types#
Security · Deployment · Rule · 2022_09 · Awareness
Use secure parameters for sensitive resource properties.
Description#
Resource properties can be configured using a hardcoded value or Azure Bicep/ template expressions.
When specifying sensitive values use secure parameters such as secureString
or secureObject
.
Sensitive values that use deterministic expressions such as hardcodes string literals or variables are not secure.
Recommendation#
Sensitive properties should be passed as parameters. Avoid using deterministic values for sensitive properties.
Examples#
Configure with Azure template#
To deploy resources that pass this rule:
- Use secure parameters to specify sensitive properties.
For example:
{
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2022-03-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"zones": [
"1"
],
"properties": {
"hardwareProfile": {
"vmSize": "Standard_D2s_v3"
},
"osProfile": {
"computerName": "[parameters('name')]",
"adminUsername": "[parameters('adminUsername')]",
"adminPassword": "[parameters('adminPassword')]"
},
"storageProfile": {
"imageReference": {
"publisher": "MicrosoftWindowsServer",
"offer": "WindowsServer",
"sku": "[parameters('sku')]",
"version": "latest"
},
"osDisk": {
"name": "[format('{0}-disk0', parameters('name'))]",
"caching": "ReadWrite",
"createOption": "FromImage",
"managedDisk": {
"storageAccountType": "Premium_LRS"
}
}
},
"licenseType": "Windows_Server",
"networkProfile": {
"networkInterfaces": [
{
"id": "[resourceId('Microsoft.Network/networkInterfaces', format('{0}-nic0', parameters('name')))]"
}
]
}
},
"dependsOn": [
"[resourceId('Microsoft.Network/networkInterfaces', format('{0}-nic0', parameters('name')))]"
]
}
Configure with Bicep#
To deploy resources that pass this rule:
- Use secure parameters to specify sensitive properties.
For example:
@secure()
@description('The name of the local administrator account.')
param adminUsername string
@secure()
@description('A password for the local administrator account.')
param adminPassword string
resource vm1 'Microsoft.Compute/virtualMachines@2022-03-01' = {
name: name
location: location
zones: [
'1'
]
properties: {
hardwareProfile: {
vmSize: 'Standard_D2s_v3'
}
osProfile: {
computerName: name
adminUsername: adminUsername
adminPassword: adminPassword
}
storageProfile: {
imageReference: {
publisher: 'MicrosoftWindowsServer'
offer: 'WindowsServer'
sku: sku
version: 'latest'
}
osDisk: {
name: '${name}-disk0'
caching: 'ReadWrite'
createOption: 'FromImage'
managedDisk: {
storageAccountType: 'Premium_LRS'
}
}
}
licenseType: 'Windows_Server'
networkProfile: {
networkInterfaces: [
{
id: nic.id
}
]
}
}
}
Notes#
Configure AZURE_DEPLOYMENT_SENSITIVE_PROPERTY_NAMES
to specify sensitive property names.
By default, the following values are used:
adminUsername
administratorLogin
administratorLoginPassword
Links#
- Infrastructure provisioning considerations in Azure
- Use Azure Key Vault to pass secure parameter value during Bicep deployment
- Integrate Azure Key Vault in your ARM template deployment