Fix Azure ML data exfiltration vulnerability by removing AzureMachineLearning service tag access and enforcing RBAC

CHANGELOG.md

@@ -1,9 +1,11 @@
 <!-- markdownlint-disable MD041 -->
 ## 0.27.0 (Unreleased)
 **BREAKING CHANGES**
+* Azure ML workspace service now requires auto group creation for RBAC; legacy service-principal role assignment fallback has been removed. ([#4687](https://github.com/microsoft/AzureTRE/pull/4687))
 * Fix missing arguments for airlock manager requests - change in API contract  ([#4544](https://github.com/microsoft/AzureTRE/issues/4544))
 * Clarify cost label time period and aggregation scope in UI tooltips ([#4607](https://github.com/microsoft/AzureTRE/pull/4607))
 
+
 ENHANCEMENTS:
 * Upgrade Guacamole to v1.6.0 with Java 17 and other security updates ([#4754](https://github.com/microsoft/AzureTRE/pull/4754))
 * API: Replace HTTP_422_UNPROCESSABLE_ENTITY response with HTTP_422_UNPROCESSABLE_CONTENT as per RFC 9110 ([#4742](https://github.com/microsoft/AzureTRE/issues/4742))
@@ -21,6 +23,8 @@ BUG FIXES:
 * Fix R configuration with incorrect quotes preventing package installation on Linux VMs ([#4657](https://github.com/microsoft/AzureTRE/issues/4657))
 * Add timeouts to Graph requests in API ([#4723](https://github.com/microsoft/AzureTRE/issues/4723))
 * Fix missing metastoreDomains for Databricks, which caused metastore outages for some domains ([#4779](https://github.com/microsoft/AzureTRE/issues/4779))
+* Fix data exfiltration vulnerability in Azure ML workspace service by removing unrestricted AzureMachineLearning service tag access and enforcing RBAC-based storage access ([#4660](https://github.com/microsoft/AzureTRE/issues/4660))
+
 
 COMPONENTS:
 

templates/workspace_services/azureml/porter.yaml

@@ -1,19 +1,12 @@
 ---
 schemaVersion: 1.0.0
 name: tre-service-azureml
-version: 0.10.0
+version: 1.1.2
 description: "An Azure TRE service for Azure Machine Learning"
 registry: azuretre
 dockerfile: Dockerfile.tmpl
 
 credentials:
-  # Credentials for interacting with the AAD Auth tenant
-  - name: auth_client_id
-    env: AUTH_CLIENT_ID
-  - name: auth_client_secret
-    env: AUTH_CLIENT_SECRET
-  - name: auth_tenant_id
-    env: AUTH_TENANT_ID
   # Credentials for interacting with Azure
   - name: azure_tenant_id
     env: ARM_TENANT_ID
@@ -61,8 +54,6 @@ parameters:
     default: false
   - name: arm_environment
     env: ARM_ENVIRONMENT
-  - name: azure_environment
-    env: AZURE_ENVIRONMENT
   - name: enable_cmk_encryption
     type: boolean
     default: false
@@ -71,6 +62,12 @@ parameters:
     default: ""
   - name: log_analytics_workspace_name
     type: string
+  - name: workspace_owners_group_id
+    type: string
+    description: "Object ID of the workspace owners AAD group"
+  - name: workspace_researchers_group_id
+    type: string
+    description: "Object ID of the workspace researchers AAD group"
 
 outputs:
   - name: azureml_workspace_name
@@ -142,14 +139,12 @@ install:
         address_space: ${ bundle.parameters.address_space }
         is_exposed_externally: ${ bundle.parameters.is_exposed_externally }
         arm_tenant_id: ${ bundle.credentials.azure_tenant_id }
-        auth_client_id: ${ bundle.credentials.auth_client_id }
-        auth_client_secret: ${ bundle.credentials.auth_client_secret }
-        auth_tenant_id: ${ bundle.credentials.auth_tenant_id }
         arm_environment: ${ bundle.parameters.arm_environment }
-        azure_environment: ${ bundle.parameters.azure_environment }
         enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption }
         key_store_id: ${ bundle.parameters.key_store_id }
         log_analytics_workspace_name: ${ bundle.parameters.log_analytics_workspace_name }
+        workspace_owners_group_id: ${ bundle.parameters.workspace_owners_group_id }
+        workspace_researchers_group_id: ${ bundle.parameters.workspace_researchers_group_id }
       backendConfig:
         use_azuread_auth: "true"
         use_oidc: "true"
@@ -181,14 +176,12 @@ upgrade:
         address_space: ${ bundle.parameters.address_space }
         is_exposed_externally: ${ bundle.parameters.is_exposed_externally }
         arm_tenant_id: ${ bundle.credentials.azure_tenant_id }
-        auth_client_id: ${ bundle.credentials.auth_client_id }
-        auth_client_secret: ${ bundle.credentials.auth_client_secret }
-        auth_tenant_id: ${ bundle.credentials.auth_tenant_id }
         arm_environment: ${ bundle.parameters.arm_environment }
-        azure_environment: ${ bundle.parameters.azure_environment }
         enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption }
         key_store_id: ${ bundle.parameters.key_store_id }
         log_analytics_workspace_name: ${ bundle.parameters.log_analytics_workspace_name }
+        workspace_owners_group_id: ${ bundle.parameters.workspace_owners_group_id }
+        workspace_researchers_group_id: ${ bundle.parameters.workspace_researchers_group_id }
       backendConfig:
         use_azuread_auth: "true"
         use_oidc: "true"
@@ -220,14 +213,12 @@ uninstall:
         address_space: ${ bundle.parameters.address_space }
         is_exposed_externally: ${ bundle.parameters.is_exposed_externally }
         arm_tenant_id: ${ bundle.credentials.azure_tenant_id }
-        auth_client_id: ${ bundle.credentials.auth_client_id }
-        auth_client_secret: ${ bundle.credentials.auth_client_secret }
-        auth_tenant_id: ${ bundle.credentials.auth_tenant_id }
         arm_environment: ${ bundle.parameters.arm_environment }
-        azure_environment: ${ bundle.parameters.azure_environment }
         enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption }
         key_store_id: ${ bundle.parameters.key_store_id }
         log_analytics_workspace_name: ${ bundle.parameters.log_analytics_workspace_name }
+        workspace_owners_group_id: ${ bundle.parameters.workspace_owners_group_id }
+        workspace_researchers_group_id: ${ bundle.parameters.workspace_researchers_group_id }
       backendConfig:
         use_azuread_auth: "true"
         use_oidc: "true"

templates/workspace_services/azureml/template_schema.json

@@ -44,6 +44,18 @@
       "$id": "#/properties/log_analytics_workspace_name",
       "type": "string",
       "title": "Log Analytics Workspace Name"
+    },
+    "workspace_owners_group_id": {
+      "$id": "#/properties/workspace_owners_group_id",
+      "type": "string",
+      "title": "Workspace Owners Group ID",
+      "description": "Object ID of the workspace owners AAD group"
+    },
+    "workspace_researchers_group_id": {
+      "$id": "#/properties/workspace_researchers_group_id",
+      "type": "string",
+      "title": "Workspace Researchers Group ID",
+      "description": "Object ID of the workspace researchers AAD group"
     }
   },
   "uiSchema": {
@@ -52,6 +64,12 @@
     },
     "log_analytics_workspace_name": {
       "classNames": "tre-hidden"
+    },
+    "workspace_owners_group_id": {
+      "classNames": "tre-hidden"
+    },
+    "workspace_researchers_group_id": {
+      "classNames": "tre-hidden"
     }
   },
   "pipeline": {
@@ -70,6 +88,16 @@
             "name": "log_analytics_workspace_name",
             "type": "string",
             "value": "{{ resource.parent.properties.log_analytics_workspace_name }}"
+          },
+          {
+            "name": "workspace_owners_group_id",
+            "type": "string",
+            "value": "{{ resource.parent.properties.workspace_owners_group_id }}"
+          },
+          {
+            "name": "workspace_researchers_group_id",
+            "type": "string",
+            "value": "{{ resource.parent.properties.workspace_researchers_group_id }}"
           }
         ]
       },
@@ -150,22 +178,6 @@
                     "TCP"
                   ]
                 },
-                {
-                  "name": "AzureML_Client",
-                  "description": "AzureML Client",
-                  "source_addresses": "{{ resource.properties.workspace_address_spaces }}",
-                  "destination_addresses": [
-                    "AzureActiveDirectory",
-                    "AzureResourceManager",
-                    "AzureMachineLearning"
-                  ],
-                  "destination_ports": [
-                    "443"
-                  ],
-                  "protocols": [
-                    "TCP"
-                  ]
-                },
                 {
                   "name": "AzureML_Storage",
                   "description": "AzureML Storage",
@@ -296,22 +308,6 @@
                     "TCP"
                   ]
                 },
-                {
-                  "name": "AzureML_Client",
-                  "description": "AzureML Client",
-                  "source_addresses": "{{ resource.properties.workspace_address_spaces }}",
-                  "destination_addresses": [
-                    "AzureActiveDirectory",
-                    "AzureResourceManager",
-                    "AzureMachineLearning"
-                  ],
-                  "destination_ports": [
-                    "443"
-                  ],
-                  "protocols": [
-                    "TCP"
-                  ]
-                },
                 {
                   "name": "AzureML_Storage",
                   "description": "AzureML Storage",

templates/workspace_services/azureml/terraform/acr.tf

@@ -20,7 +20,6 @@ resource "azurerm_container_registry" "acr" {
   dynamic "encryption" {
     for_each = var.enable_cmk_encryption ? [1] : []
     content {
-      enabled            = true
       key_vault_key_id   = data.azurerm_key_vault_key.ws_encryption_key[0].id
       identity_client_id = data.azurerm_user_assigned_identity.ws_encryption_identity[0].client_id
     }

templates/workspace_services/azureml/terraform/network.tf

@@ -170,61 +170,7 @@ resource "azurerm_network_security_rule" "allow_outbound_to_internet" {
   source_port_range           = "*"
 }
 
-resource "azurerm_network_security_rule" "allow_outbound_to_aml_udp_5831" {
-  access                      = "Allow"
-  destination_address_prefix  = "AzureMachineLearning"
-  destination_port_range      = "5831"
-  direction                   = "Outbound"
-  name                        = "to-aml-udp"
-  network_security_group_name = azurerm_network_security_group.aml.name
-  priority                    = 106
-  protocol                    = "Udp"
-  resource_group_name         = data.azurerm_resource_group.ws.name
-  source_address_prefix       = "*"
-  source_port_range           = "*"
-}
-
-resource "azurerm_network_security_rule" "allow_outbound_to_aml_tcp_443" {
-  access                      = "Allow"
-  destination_address_prefix  = "AzureMachineLearning"
-  destination_port_range      = "443"
-  direction                   = "Outbound"
-  name                        = "to-aml-tcp-443"
-  network_security_group_name = azurerm_network_security_group.aml.name
-  priority                    = 107
-  protocol                    = "Tcp"
-  resource_group_name         = data.azurerm_resource_group.ws.name
-  source_address_prefix       = "*"
-  source_port_range           = "*"
-}
 
-resource "azurerm_network_security_rule" "allow_outbound_to_aml_tcp_8787" {
-  access                      = "Allow"
-  destination_address_prefix  = "AzureMachineLearning"
-  destination_port_range      = "8787"
-  direction                   = "Outbound"
-  name                        = "to-aml-tcp-8787-rstudio"
-  network_security_group_name = azurerm_network_security_group.aml.name
-  priority                    = 108
-  protocol                    = "Tcp"
-  resource_group_name         = data.azurerm_resource_group.ws.name
-  source_address_prefix       = "*"
-  source_port_range           = "*"
-}
-
-resource "azurerm_network_security_rule" "allow_outbound_to_aml_tcp_18881" {
-  access                      = "Allow"
-  destination_address_prefix  = "AzureMachineLearning"
-  destination_port_range      = "18881"
-  direction                   = "Outbound"
-  name                        = "to-aml-tcp-18881-language-server"
-  network_security_group_name = azurerm_network_security_group.aml.name
-  priority                    = 109
-  protocol                    = "Tcp"
-  resource_group_name         = data.azurerm_resource_group.ws.name
-  source_address_prefix       = "*"
-  source_port_range           = "*"
-}
 
 resource "azurerm_network_security_rule" "allow_outbound_within_workspace_vnet" {
   access                       = "Allow"

templates/workspace_services/azureml/terraform/providers.tf

@@ -2,16 +2,12 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "=3.117.0"
+      version = "=4.54.0"
     }
     azapi = {
       source  = "Azure/azapi"
       version = "= 2.3.0"
     }
-    external = {
-      source  = "hashicorp/external"
-      version = "= 2.3.5"
-    }
     random = {
       source  = "hashicorp/random"
       version = "= 3.7.2"