โญ Repository โ ๐ Compliance Engine โ ๐ CloudAware โ ๐ Azure โ ๐ Virtual Network
๐ก๏ธ Azure Network Security Group allows public access to all ports๐ข
- Contextual name: ๐ก๏ธ Security Group allows public access to all ports๐ข
- ID:
/ce/ca/azure/virtual-network/security-group-allows-unrestricted-traffic-to-all-ports - Tags:
- ๐ข Policy with categories
- ๐ข Policy with type
- ๐ข Production policy
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Logicโ
- ๐ง prod.logic.yaml๐ข
Descriptionโ
Descriptionโ
Ensure that Azure Network Security Groups are not associated with Network Interfaces that are linked to Network Security Groups containing inbound rules that allow unrestricted access (e.g.,
0.0.0.0/0or::/0) across all ports. Instead, restrict access to only those IP addresses that require it, in accordance with the principle of least privilege.Rationaleโ
Permitting unrestricted inbound access from the public internet significantly increases the exposure of your environment to potential threats. Such configurations allow attackers to scan all open ports for vulnerabilities, potentially leading to unauthorized access, data exfiltration, or service disruption. Implementing tightly scoped rules based on required IP addresses and necessary ports aligns with the principle of least privilege and strengthens your security posture.
A compromise resulting from overly permissive rules could lead to data breaches, service outages, or exploitation of your infrastructure for launching further attacks.
Auditโ
... see more
Remediationโ
Remediationโ
Modify or Remove Insecure NSG Ruleโ
Review the security rules associated with the relevant Network Security Group (NSG) and determine whether they are required. Take appropriate action based on necessity and scope:
If the rule is not required: Remove the rule entirely.
If the rule is required but overly permissive: Update the rule to narrowly scope access, restricting the destination port and/or source IP ranges to only what is strictly necessary.
Azure CLIโ
Delete the rule:
az network nsg rule delete \
--resource-group {{resource-group-name}} \
--nsg-name {{nsg-name}} \
--name {{rule-name}}Restrict the rule:
az network nsg rule update \
--resource-group {{resource-group-name}} \
--nsg-name {{nsg-name}} \
--name {{rule-name}} \
--destination-port-ranges {{specific-ports}} \
--source-address-prefixes {{trusted-cidr}}Replace placeholders with the appropriate values. Use space-separated values for multiple source prefixes or destination ports (e.g.,
--destination-port-ranges "80 443"or--source-address-prefixes "1.2.3.4/32 5.6.7.8/32").... see more
policy.yamlโ
Linked Framework Sectionsโ
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| ๐ผ Cloudaware Framework โ ๐ผ Public and Anonymous Access | 80 | no data |