🛡️ Azure Managed Disk Public Network Access is not disabled🟢

• Contextual name: 🛡️ Managed Disk Public Network Access is not disabled🟢
• ID: /ce/ca/azure/virtual-machine/disable-managed-disk-public-network-access
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Azure Managed Disk
  • 🔌 Azure Managed Disk - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Internal: dec-x-b17c005c

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-b17c005c	1

Description

Open File

Description

Virtual Machine Disks and snapshots can be configured to allow access from different network resources.

Rationale

The setting Enable public access from all networks is, in many cases, an overly permissive setting on Virtual Machine Disks that presents atypical attack, data infiltration, and data exfiltration vectors. If a disk to network connection is required, the preferred setting is to Disable public access and enable private access.

Impact

The setting Disable public access and enable private access will require configuring a private link (URL in references below).

The setting Disable public and private access is most secure and preferred where disk network access is not needed.

Audit

From Azure Portal

Part A. Select the Virtual Machine to Evaluate

1. Using the search bar, search for and open the Virtual Machines service.
2. Click on the name of the Virtual Machine to be audited.

Part B. Evaluate each Virtual Machine Disk individually

1. From the selected Virtual Machine resource window, expand the Settings menu item and click Disks.

... see more

Remediation

Open File

Remediation

From Azure Portal

Part A. Select the Virtual Machine to Remediate

1. Using the search bar, search for and open the Virtual Machines service.
2. Click on the name of the Virtual Machine to be remediated.

Part B. Remediate each Virtual Machine Disk individually

1. From the selected Virtual Machine resource window, expand the Settings menu item and click Disks.
2. For each disk, click the name of the disk to open the disk resource window.
3. From the selected Disk resource window, expand the Settings menu item, and click Networking.

Under Network access, select the radio button for either:

• Disable public access and enable private access
• Disable public and private access

Repeat Part B for each Disk attached to a VM.

Repeat Parts A and B to remediate all Disks in all VMs.

From Azure CLI

To configure a disk to allow private access only, run the following command making sure you have the Disk Access ID from a private disk access end point:

az disk update --name <managed disk name> --resource-group <resource group name> --network-access-policy AllowPrivate --disk-access <disk access ID>

... [see more](remediation.md)

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 APRA CPG 234 → 💼 36d access management controls —only authorised users, software and hardware are able to access information assets (refer to Attachment B for further guidance);		14	14		no data
💼 APRA CPG 234 → 💼 36e hardware and software asset controls —appropriate authorisation to prevent security compromises from unauthorised hardware and software assets;		16	16		no data
💼 APRA CPG 234 → 💼 36f network design — to ensure authorised network traffic flows and to reduce the impact of security compromises;		29	30		no data
💼 APRA CPG 234 → 💼 45 An understanding of plausible worst case scenarios can help regulated entities identify and implement additional controls to prevent or reduce the impact of such scenarios. One example is malware that infects computers and encrypts data, both on the infected computer and any connected storage, including (corporate) networks and cloud storage. Such attacks reinforce the importance of protecting the backup environment in the event that the production environment is compromised. Common techniques to achieve this include network segmentation, highly restricted and segregated access controls and network traffic flow restrictions.		35	37		no data
💼 APRA CPG 234 → 💼 52d appropriate segmentation of data, based on sensitivity and access needs;		10	10		no data
💼 APRA CPG 234 → 💼 53 Wholesale access to sensitive data (e.g. contents of customer databases or intellectual property that can be exploited for personal gain) would be highly restricted to reduce the risk exposure to significant data leakage events. Industry experience of actual data leakage incidents include the unauthorised extraction of debit/credit card details, theft of personally identifiable information, loss of unencrypted backup media and the sale/trade or exploitation of customer identity data.		10	10		no data
💼 CIS Azure v3.0.0 → 💼 8.5 Ensure that 'Disk Network Access' is NOT set to 'Enable public access from all networks' (Automated)			1		no data
💼 Cloudaware Framework → 💼 Public and Anonymous Access			101		no data
💼 FedRAMP High Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)		11	48		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)			48		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows		37	48		no data
💼 UK Cyber Essentials → 💼 1.2 Prevent access to the administrative interface from the internet		36	38		no data