Skip to main content

⭐ Repository β†’ πŸ“ Compliance Engine β†’ πŸ“ CloudAware β†’ πŸ“ Azure β†’ πŸ“ Virtual Network

πŸ›‘οΈ Azure Network Security Group allows public access to SSH port🟒

  • Contextual name: πŸ›‘οΈ Security Group allows public access to SSH port🟒
  • ID: /ce/ca/azure/virtual-network/security-group-allows-unrestricted-ssh-traffic
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic​

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-599c86b41

Description​

Open File

Description​

Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.

Rationale​

The potential security problem with using SSH over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on the Azure Virtual Network or even attack networked devices outside of Azure.

Audit​

This policy flagged an Azure Network Security Group as INCOMPLIANT if it contains at least one Inbound Security Rule that meets all of the following conditions:

  • Direction is Inbound.
  • Access is Allow.
  • Protocol is either Tcp, Udp, *, or null.
  • Source Address Prefix is either Internet, * 0.0.0.0, /0, or Any.
  • Destination Port is 22.

... see more

Remediation​

Open File

Remediation​

Modify or Remove Insecure NSG Rule​

Review the security rules associated with the relevant Network Security Group (NSG) and determine whether they are required. Take appropriate action based on necessity and scope:

  • If the rule is not required: Remove the rule entirely.

  • If the rule is required but overly permissive: Update the rule to narrowly scope access, restricting the source IP range to only what is strictly necessary.

Azure CLI​

  1. Delete the rule:

    az network nsg rule delete \
      --resource-group {{resource-group-name}} \
      --nsg-name {{nsg-name}} \
      --name {{rule-name}}

  2. Restrict the rule:

    az network nsg rule update \
        --resource-group {{resource-group-name}} \
        --nsg-name {{nsg-name}} \
        --name {{rule-name}} \
        --source-address-prefixes {{trusted-cidr}}

    Replace placeholders with the appropriate values. Use space-separated values for multiple source prefixes or destination ports (e.g., --source-address-prefixes "1.2.3.4/32 5.6.7.8/32").

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36f network design β€” to ensure authorised network traffic flows and to reduce the impact of security compromises;2930no data
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 45 An understanding of plausible worst case scenarios can help regulated entities identify and implement additional controls to prevent or reduce the impact of such scenarios. One example is malware that infects computers and encrypts data, both on the infected computer and any connected storage, including (corporate) networks and cloud storage. Such attacks reinforce the importance of protecting the backup environment in the event that the production environment is compromised. Common techniques to achieve this include network segmentation, highly restricted and segregated access controls and network traffic flow restrictions.3537no data
πŸ’Ό CIS Azure v1.1.0 β†’ πŸ’Ό 6.2 Ensure that SSH access is restricted from the internet11no data
πŸ’Ό CIS Azure v1.3.0 β†’ πŸ’Ό 6.2 Ensure that SSH access is restricted from the internet - Level 1 (Automated)11no data
πŸ’Ό CIS Azure v1.4.0 β†’ πŸ’Ό 6.2 Ensure that SSH access is restricted from the internet - Level 1 (Automated)11no data
πŸ’Ό CIS Azure v1.5.0 β†’ πŸ’Ό 6.2 Ensure that SSH access from the Internet is evaluated and restricted - Level 1 (Automated)11no data
πŸ’Ό CIS Azure v2.0.0 β†’ πŸ’Ό 6.2 Ensure that SSH access from the Internet is evaluated and restricted - Level 1 (Automated)11no data
πŸ’Ό CIS Azure v2.1.0 β†’ πŸ’Ό 6.2 Ensure that SSH access from the Internet is evaluated and restricted - Level 1 (Automated)11no data
πŸ’Ό CIS Azure v3.0.0 β†’ πŸ’Ό 7.2 Ensure that SSH access from the Internet is evaluated and restricted (Automated)1no data
πŸ’Ό CIS Azure v4.0.0 β†’ πŸ’Ό 8.2 Ensure that SSH access from the Internet is evaluated and restricted (Automated)1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Public and Anonymous Access80no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)3767no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4(21) Physical or Logical Separation of Information Flows (M)(H)1146no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-7 Least Functionality (L)(M)(H)31833no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7(5) Deny by Default β€” Allow by Exception (M)(H)18no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)67no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CM-7 Least Functionality (L)(M)(H)29no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)67no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-4(21) Physical or Logical Separation of Information Flows (M)(H)46no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-7 Least Functionality (L)(M)(H)333no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-7(5) Deny by Default β€” Allow by Exception (M)(H)18no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.9.4.1 Information access restriction1920no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 6.7 Remote working44no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.1 User end point devices813no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.16 Monitoring activities45no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.22 Segregation of networks44no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties1752no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-5: Protections against data leaks are implemented4766no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)426no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties91no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected117no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected97no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected111no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows3746no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(5) Boundary Protection _ Deny by Default β€” Allow by Exception418no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.1 Establish and implement firewall and router configuration standards7139no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment.7826no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.619no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ.19no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.3.5 Permit only β€œestablished” connections into the network.19no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.34no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.4.1 NSCs are implemented between trusted and untrusted networks.17no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted.19no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.2434no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.4.1 NSCs are implemented between trusted and untrusted networks.717no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted.719no data
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.1-7 Restricts Access to Information Assets1326no data
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.6-1 Restricts Access1619no data
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 1.2 Prevent access to the administrative interface from the internet3638no data