I've recently begun using Azure Automation mainly to execute scheduled REST API calls to Microsoft Graph for generating reports. I noticed that every Automation Account comes with a long list of pre-installed Az.* modules, like Az.Accounts and Az.Resources, and many of these seem outdated while set to auto-update. My concern is whether these unused modules could pose a security risk if they remain outdated. Specifically, could someone exploit a vulnerable version of a module, like Az.KeyVault, even if I'm not using it in my runbooks? Or is the attack surface limited to the code executed in my runbooks? I only discovered these modules existed today, and it makes me a bit paranoid. I'd love any insights or guidance, especially from Microsoft, on whether I need to keep these updated when they're not in use.
3 Answers
Generally speaking, having those modules in your Automation Account isn't a direct security concern. They only allow you to run commands from them if you explicitly use them in your scripts. If an attack were to occur, the real risk would stem from the code in your runbooks, not the mere presence of unused modules. Remember, it's a serverless PaaS environment—if something were to be compromised, it would likely be at Microsoft's end, not yours. So there’s no immediate need to worry about them being outdated as long as you didn't configure permissions for them.
I think your bigger concern should be around how you're managing tokens for your API calls. If your code is dealing with tokens in plain text, that's a security risk. Using the Az modules with built-in managed identity would enhance safety significantly.
I totally recommend using the managed identity of your Automation Account. This way, you don’t have to handle secrets directly, which makes things much more secure. It's the best option to ensure that you avoid any potential vulnerabilities tied to secret management.
Actually, I'm already using the built-in managed identity to obtain the access token, utilizing connect-azaccount. So, I think I'm on the right track!