Skip to main content

πŸ“ Azure Managed Disk Public Network Access is not disabled 🟒

  • Contextual name: πŸ“ Managed Disk Public Network Access is not disabled 🟒
  • ID: /ce/ca/azure/virtual-machine/disable-managed-disk-public-network-access
  • Located in: πŸ“ Azure Virtual Machines

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

  • Internal
    • dec-x-b17c005c

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-b17c005c1

Logic​

Description​

Open File

Description​

Virtual Machine Disks and snapshots can be configured to allow access from different network resources.

Rationale​

The setting Enable public access from all networks is, in many cases, an overly permissive setting on Virtual Machine Disks that presents atypical attack, data infiltration, and data exfiltration vectors. If a disk to network connection is required, the preferred setting is to Disable public access and enable private access.

Impact​

The setting Disable public access and enable private access will require configuring a private link (URL in references below).

The setting Disable public and private access is most secure and preferred where disk network access is not needed.

Audit​

From Azure Portal​
Part A. Select the Virtual Machine to Evaluate​
  1. Using the search bar, search for and open the Virtual Machines service.
  2. Click on the name of the Virtual Machine to be audited.
Part B. Evaluate each Virtual Machine Disk individually​
  1. From the selected Virtual Machine resource window, expand the Settings menu item and click Disks.

... see more

Remediation​

Open File

Remediation​

From Azure Portal​

Part A. Select the Virtual Machine to Remediate​
  1. Using the search bar, search for and open the Virtual Machines service.
  2. Click on the name of the Virtual Machine to be remediated.
Part B. Remediate each Virtual Machine Disk individually​
  1. From the selected Virtual Machine resource window, expand the Settings menu item and click Disks.
  2. For each disk, click the name of the disk to open the disk resource window.
  3. From the selected Disk resource window, expand the Settings menu item, and click Networking.

Under Network access, select the radio button for either:

  • Disable public access and enable private access
  • Disable public and private access

Repeat Part B for each Disk attached to a VM.

Repeat Parts A and B to remediate all Disks in all VMs.

From Azure CLI​

To configure a disk to allow private access only, run the following command making sure you have the Disk Access ID from a private disk access end point:

az disk update --name <managed disk name> --resource-group <resource group name> --network-access-policy AllowPrivate --disk-access <disk access ID>

... [see more](remediation.md)

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36d access management controls β€”only authorised users, software and hardware are able to access information assets (refer to Attachment B for further guidance);1313
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36e hardware and software asset controls β€”appropriate authorisation to prevent security compromises from unauthorised hardware and software assets;1515
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36f network design β€” to ensure authorised network traffic flows and to reduce the impact of security compromises;2829
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 45 An understanding of plausible worst case scenarios can help regulated entities identify and implement additional controls to prevent or reduce the impact of such scenarios. One example is malware that infects computers and encrypts data, both on the infected computer and any connected storage, including (corporate) networks and cloud storage. Such attacks reinforce the importance of protecting the backup environment in the event that the production environment is compromised. Common techniques to achieve this include network segmentation, highly restricted and segregated access controls and network traffic flow restrictions.3436
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 52d appropriate segmentation of data, based on sensitivity and access needs;1010
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 53 Wholesale access to sensitive data (e.g. contents of customer databases or intellectual property that can be exploited for personal gain) would be highly restricted to reduce the risk exposure to significant data leakage events. Industry experience of actual data leakage incidents include the unauthorised extraction of debit/credit card details, theft of personally identifiable information, loss of unencrypted backup media and the sale/trade or exploitation of customer identity data.1010
πŸ’Ό CIS Azure v3.0.0 β†’ πŸ’Ό 8.5 Ensure that 'Disk Network Access' is NOT set to 'Enable public access from all networks' (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Public and Anonymous Access24
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4(21) Physical or Logical Separation of Information Flows (M)(H)1139
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-4(21) Physical or Logical Separation of Information Flows (M)(H)39
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows3539
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 1.2 Prevent access to the administrative interface from the internet3537