🛡️ Azure Network Subnet without Network Security Group🟢
- Contextual name: 🛡️ Network Subnet without Network Security Group🟢
- ID:
/ce/ca/azure/virtual-network/subnet-without-security-group - Tags:
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Logic
Description
Description
This policy identifies Azure Network Subnets that do not have any associated network security groups. Protect subnet resources by ensuring subnets are associated with NSGs, which can filter inbound and outbound traffic using security rules.
Rationale
Unprotected subnets can expose resources to unauthorized access.
Impact
Minor administrative effort is required to ensure subnets are associated with network security groups. There is no cost to create or use network security groups.
Audit
This policy flags an Azure Network Subnet as
INCOMPLIANTif it has no associatedNetwork Security Group.Default Value
By default, a subnet is not associated with a network security group.
References
Remediation
Remediation
From Azure Portal
- Go to
Virtual networks.- Click the name of a virtual network.
- Under
Settings, clickSubnets.- Click the name of a subnet.
- Under
Security, next toNetwork security group, clickNoneto display the drop-down menu.- Select a network security group.
- Click
Save.- Repeat steps 1-7 for each virtual network and subnet requiring remediation.
From Azure CLI
For each subnet requiring remediation, run the following command to associate it with a network security group:
az network vnet subnet update /
--resource-group {{resource-group}} /
--vnet-name {{virtual-network}} /
--name {{subnet}} /
--network-security-group {{network-security-group}}
policy.yaml
Linked Framework Sections
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| 💼 CIS Azure v5.0.0 → 💼 7.11 Ensure subnets are associated with network security groups (Automated) | 1 | no data | |||
| 💼 Cloudaware Framework → 💼 Secure Access | 67 | no data |