Published 2022-06-20. Last modified 2022-06-29.
Time to read: 4 minutes.
After realizing that AWS does not integrate security with real-time billing, and being presented with a huge bill after my account was hijacked, I decided to see if Microsoft Azure offered me better financial security.
In particular, I am looking for two things:
- A more secure authentication mechanism – If AWS credentials are compromised, they can be used from anywhere in the world.
- Restricting scope and scale of authorized services – With AWS, if an IAM user has a role that allows EC2 instances to be launched, any number of any size EC2 instances can be launched. There is no way to cap the number or type of EC2 instances, and AWS real-time billing is not integrated with the authentication mechanism. Furthermore, AWS has a peculiar set of busy work tasks for victims of account hijacking that appears to be targeted more towards increasing support revenue than address root issues. This means that the bad guys have no limit to the financial damage they can incur on their victims.
For PaaS vendors such as AWS, Azure, Digital Ocean, Cloudflare, ScaleWay, etc: “pay-as-you-go” is shorthand for “there is nothing you can do to limit your financial liability”.
I set out to discover if Azure also suffers from these same problems.
Azure Roles and Policies
The Azure Virtual Machines Documentation contains the following passage:
Azure policies can be used to define the desired behavior for your organization's Windows VMs and Linux VMs. By using policies, an organization can enforce various conventions and rules throughout the enterprise. Enforcement of the desired behavior can help mitigate risk while contributing to the success of the organization.
Azure role-based access control
Using Azure role-based access control (Azure RBAC), you can segregate duties within your team and grant only the amount of access to users on your VM that they need to perform their jobs. Instead of giving everybody unrestricted permissions on the VM, you can allow only certain actions. You can configure access control for the VM in the Azure portal, using the Azure CLI, or Azure PowerShell.
I soon discovered the following passage in the Azure documentation, which appeared to exactly match the second item in the wish list at the top of this article:
Azure RBAC focuses on managing user actions at different scopes. If control of an action is required, then Azure RBAC is the correct tool to use. Even if an individual has access to perform an action, if the result is a non-compliant resource, Azure Policy still blocks the create or update.
The combination of Azure RBAC and Azure Policy provides full scope control in Azure.
AWS RBAC does not provide functionality equivalent to that provided by Microsoft Azure RBAC plus Azure Policy, even when combined with other AWS functionality.
No Limits On Other Azure Services
The financial limitations that Azure allows you to impose are only available for virtual machines. Users are subject to unlimited financial liability from other Azure services. It seems I have
- Figure out how to set up RBAC and accept that other services might run up a huge bill.
- Look for a fixed-price hosting service
- Give Azure Spending Limit a try
Before I sign off today, I encountered a blocking issue with Azure that I'd like to mention.
I want to update my website by running a command-line command that runs something analogous to
rsync. I spent quite some time looking for how this might be done with Azure.
Before long, it seemed that Active Directory was the best way forward, however setting it up is daunting. Apparently a service principal is better suited for scripts that run on-premises, like my home office. I got the impression that I need to register an app; unsure what app might be required for hosting a web site on Azure Blob Storage with Azure CDN.
These Active Directory docs look like a lot of abstract, generalized information that is way more complex than I need. I found a streamlined article for my use case. Not sure what this means: “Only storage accounts created with the Azure Resource Manager deployment model support Azure AD authorization.” This streamlined document is not very streamlined. For me, this issue is a significant barrier to adoption.
Update: Azure Spending Limit
I just bumped into an article entitled Azure spending limit. Perhaps this might be useful. I tried to find out more from Microsoft, but at first they said I would have to subscribe to an expensive support plan before anyone would speak to me. That is not how I wish to proceed. Later, I opened a ticket inquiring about Azure customers facing unlimited financial liability.
The ticket was escalated twice, then Microsoft sent me the following official response (emphasis is mine):
Correct, at this moment that feature of setting limits does not exist, Azure is not able to safeguard customers from unlimited financial liability.
We are a support team that we provide help with current account or billing issues, in addition to that, I would like to mention that Azure products are constantly being updated, also Azure is constantly improving to offer better services to our customers. For this reason, I would like to invite you to leave your feedback in the Azure feedback forum (General Feedback · Community (azure.com)), so your feedback is forwarded through the right channel and to the Microsoft internal resources that work on it.
I responded by indicating that I would close my Azure account.
While the practice of imposing unlimited financial liability on customers is common today for PaaS vendors, it is unnecessary and predatory. If in the future I need to use a product or service that incurs unlimited financial liability for a client, I will require the client to accept the liability.