Skip to main content

๐Ÿ›ก๏ธ Azure Network Security Group allows public access to HTTP(S) ports๐ŸŸข

  • Contextual name: ๐Ÿ›ก๏ธ Security Group allows public access to HTTP(S) ports๐ŸŸข
  • ID: /ce/ca/azure/virtual-network/security-group-allows-unrestricted-http-traffic
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logicโ€‹

Similar Policiesโ€‹

Similar Internal Rulesโ€‹

RulePoliciesFlags
โœ‰๏ธ dec-x-f4cc003a1

Descriptionโ€‹

Open File

Descriptionโ€‹

Ensure that Azure Network Security Groups are not configured with Network Security Group (NSG) rules that allow unrestricted inbound access to HTTP (port 80) and HTTPS (port 443) from the public internet. Inbound access to these ports should be restricted to trusted IP address ranges or fronted by secure services such as Azure Application Gateway or Azure Front Door to reduce exposure and maintain a strong security posture.

Rationaleโ€‹

NSGs are critical components for controlling network traffic to and from Azure resources. Inbound access to ports 80 (HTTP) and 443 (HTTPS) from any source (0.0.0.0/0, ::/0) significantly increases the attack surface of a NSG and may allow unauthenticated access to web applications or services. Periodically auditing NSG rules and restricting internet exposure to only what is strictly necessary is a key security best practice. Where public access is required, it should be scoped to specific source IPs or protected by additional layers such as web application firewalls (WAFs) or reverse proxies.

... see more

Remediationโ€‹

Open File

Remediationโ€‹

Modify or Remove Insecure NSG Ruleโ€‹

Review the security rules associated with the relevant Network Security Group (NSG) and determine whether they are required. Take appropriate action based on necessity and scope:

  • If the rule is not required: Remove the rule entirely.

  • If the rule is required but overly permissive: Update the rule to narrowly scope access, restricting the source IP range to only what is strictly necessary.

Azure CLIโ€‹

  1. Delete the rule:

    az network nsg rule delete \
      --resource-group {{resource-group-name}} \
      --nsg-name {{nsg-name}} \
      --name {{rule-name}}

  2. Restrict the rule:

    az network nsg rule update \
        --resource-group {{resource-group-name}} \
        --nsg-name {{nsg-name}} \
        --name {{rule-name}} \
        --source-address-prefixes {{trusted-cidr}}

    Replace placeholders with the appropriate values. Use space-separated values for multiple source prefixes or destination ports (e.g., --source-address-prefixes "1.2.3.4/32 5.6.7.8/32").

... see more

policy.yamlโ€‹

Open File

Linked Framework Sectionsโ€‹

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
๐Ÿ’ผ APRA CPG 234 โ†’ ๐Ÿ’ผ 36d access management controls โ€”only authorised users, software and hardware are able to access information assets (refer to Attachment B for further guidance);1717no data
๐Ÿ’ผ APRA CPG 234 โ†’ ๐Ÿ’ผ 36e hardware and software asset controls โ€”appropriate authorisation to prevent security compromises from unauthorised hardware and software assets;1919no data
๐Ÿ’ผ APRA CPG 234 โ†’ ๐Ÿ’ผ 36f network design โ€” to ensure authorised network traffic flows and to reduce the impact of security compromises;3435no data
๐Ÿ’ผ APRA CPG 234 โ†’ ๐Ÿ’ผ 45 An understanding of plausible worst case scenarios can help regulated entities identify and implement additional controls to prevent or reduce the impact of such scenarios. One example is malware that infects computers and encrypts data, both on the infected computer and any connected storage, including (corporate) networks and cloud storage. Such attacks reinforce the importance of protecting the backup environment in the event that the production environment is compromised. Common techniques to achieve this include network segmentation, highly restricted and segregated access controls and network traffic flow restrictions.4042no data
๐Ÿ’ผ CIS Azure v1.5.0 โ†’ ๐Ÿ’ผ 6.4 Ensure that HTTP(S) access from the Internet is evaluated and restricted - Level 1 (Automated)11no data
๐Ÿ’ผ CIS Azure v2.0.0 โ†’ ๐Ÿ’ผ 6.4 Ensure that HTTP(S) access from the Internet is evaluated and restricted - Level 1 (Automated)11no data
๐Ÿ’ผ CIS Azure v2.1.0 โ†’ ๐Ÿ’ผ 6.4 Ensure that HTTP(S) access from the Internet is evaluated and restricted - Level 1 (Automated)11no data
๐Ÿ’ผ CIS Azure v3.0.0 โ†’ ๐Ÿ’ผ 7.4 Ensure that HTTP(S) access from the Internet is evaluated and restricted (Automated)1no data
๐Ÿ’ผ CIS Azure v4.0.0 โ†’ ๐Ÿ’ผ 8.4 Ensure that HTTP(S) access from the Internet is evaluated and restricted (Automated)1no data
๐Ÿ’ผ CIS Azure v5.0.0 โ†’ ๐Ÿ’ผ 7.4 Ensure that HTTP(S) access from the Internet is evaluated and restricted (Automated)1no data
๐Ÿ’ผ CIS Azure v6.0.0 โ†’ ๐Ÿ’ผ 7.4 Ensure that HTTP(S) Access from the Internet is Evaluated and Restricted (Automated)1no data
๐Ÿ’ผ Cloudaware Framework โ†’ ๐Ÿ’ผ Network Exposure137no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ AC-4(21) Physical or Logical Separation of Information Flows (M)(H)1168no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ SC-7(5) Deny by Default โ€” Allow by Exception (M)(H)23no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ AC-4(21) Physical or Logical Separation of Information Flows (M)(H)68no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ SC-7(5) Deny by Default โ€” Allow by Exception (M)(H)23no data
๐Ÿ’ผ ISO/IEC 27001:2013 โ†’ ๐Ÿ’ผ A.9.4.1 Information access restriction2425no data
๐Ÿ’ผ ISO/IEC 27001:2022 โ†’ ๐Ÿ’ผ 6.7 Remote working44no data
๐Ÿ’ผ ISO/IEC 27001:2022 โ†’ ๐Ÿ’ผ 8.1 User end point devices813no data
๐Ÿ’ผ ISO/IEC 27001:2022 โ†’ ๐Ÿ’ผ 8.16 Monitoring activities45no data
๐Ÿ’ผ ISO/IEC 27001:2022 โ†’ ๐Ÿ’ผ 8.22 Segregation of networks44no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties2362no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ PR.DS-5: Protections against data leaks are implemented5498no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties144no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected196no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected167no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected197no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows4268no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ SC-7(5) Boundary Protection _ Deny by Default โ€” Allow by Exception823no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.1 Establish and implement firewall and router configuration standards7145no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.1.6 Documentation of business justification and approval for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.132no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.1067no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment.7844no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.630no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ.30no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.3.5 Permit only โ€œestablishedโ€ connections into the network.30no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 2.2.4 Configure system security parameters to prevent misuse.17no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.40no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need.32no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.32no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 1.3.1 Inbound traffic to the CDE is restricted.67no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 1.3.2 Outbound traffic from the CDE is restricted.67no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 1.4.1 NSCs are implemented between trusted and untrusted networks.21no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted.30no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 2.2.6 System security parameters are configured to prevent misuse.17no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.3040no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need.2032no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.832no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 1.3.1 Inbound traffic to the CDE is restricted.967no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 1.3.2 Outbound traffic from the CDE is restricted.67no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 1.4.1 NSCs are implemented between trusted and untrusted networks.921no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted.930no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 2.2.6 System security parameters are configured to prevent misuse.1217no data
๐Ÿ’ผ UK Cyber Essentials โ†’ ๐Ÿ’ผ 1.2 Prevent access to the administrative interface from the internet4244no data