Description

For added security, only install organization-approved extensions on VMs.

Rationale

Azure virtual machine extensions are small applications that provide post-deployment configuration and automation tasks on Azure virtual machines. These extensions run with administrative privileges and could potentially access anything on a virtual machine. The Azure Portal and community provide several such extensions. Each organization should carefully evaluate these extensions and ensure that only those that are approved for use are actually implemented.

Impact

Functionality by unsupported extensions will be disabled.

Audit

From Azure Portal

Go to Virtual machines.
For each virtual machine, click on the server name to select it go to.
In the new column menu, under Settings Click on Extensions + applications.
Ensure that all the listed extensions are approved by your organization for use.

From Azure CLI

Use the below command to list the extensions attached to a VM, and ensure the listed extensions are approved for use:

az vm extension list --vm-name <vmName> --resource-group <sourceGroupName> --query [*].name

From PowerShell

Get a list of VMs:

Get-AzVM

For each VM run the following command:

Get-AzVMExtension -ResourceGroupName <VM Resource Group> -VMName <VM Name>

Review each Name, ExtensionType, and ProvisioningState to make sure no unauthorized extensions are installed on any virtual machines.

From Azure Policy

If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure.

Policy ID: c0e996f8-39cf-4af9-9f45-83fbde810432 - Name: Only approved VM extensions should be installed

Default Value

By default, no extensions are added to the virtual machines.

Rationale​

Impact​

Audit​

From Azure Portal​

From Azure CLI​

From PowerShell​

From Azure Policy​

Default Value​

References​