📝 Azure VM Scale Set Instance allows public access to SSH port 🟢

• Contextual name: 📝 Instance allows public access to SSH port 🟢
• ID: /ce/ca/azure/vm-scale-set/instance-allows-unrestricted-ssh-traffic
• Located in: 📁 Azure VM Scale Set

Flags

• 🟢 Policy with categories
• 🟢 Policy with type
• 🟢 Production policy

Our Metadata

• Policy Type: COMPLIANCE_POLICY
• Policy Category:
  • SECURITY

Logic

• 🧠 prod.logic.yaml 🟢
  • 📕 Azure VM Scale Set Instance
  • 🔌 Azure Network Security Group Rule - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

Ensure that Azure VM Scale Set Instances are not configured to allow unrestricted inbound access to the Secure Shell (SSH) port (TCP 22). SSH is widely used for remote management of Linux-based systems. Leaving SSH ports open to the public internet increases the risk of brute-force attacks, credential theft, and unauthorized system access.

Rationale

Restricting SSH access through NSGs is a critical step in reducing the attack surface of Azure VM Scale Set Instances. Public exposure of SSH enables malicious actors to attempt automated attacks, exploit misconfigurations, or leverage stolen credentials. Access to SSH should be limited to trusted IP ranges or secured through bastion hosts or private connectivity methods.

Impact

Blocking public access to SSH may disrupt workflows that involve direct internet-based remote management. It is important to transition to secure access alternatives, such as VPN tunnels or Azure Bastion, to maintain administrative capabilities without exposing sensitive management ports to external threats.

... see more

Remediation

Open File

Remediation

Modify or Remove Insecure NSG Rule

Review the security rules associated with the relevant Network Security Group (NSG) and determine whether they are required. Take appropriate action based on necessity and scope:

• If the rule is not required: Remove the rule entirely.

• If the rule is required but overly permissive: Update the rule to narrowly scope access, restricting the source IP range to only what is strictly necessary.

Azure CLI

1. Delete the rule:

   az network nsg rule delete \
     --resource-group {{resource-group-name}} \
     --nsg-name {{nsg-name}} \
     --name {{rule-name}}

2. Restrict the rule:

   az network nsg rule update \
       --resource-group {{resource-group-name}} \
       --nsg-name {{nsg-name}} \
       --name {{rule-name}} \
       --source-address-prefixes {{trusted-cidr}} 

   Replace placeholders with the appropriate values. Use space-separated values for multiple source prefixes or destination ports (e.g., --source-address-prefixes "1.2.3.4/32 5.6.7.8/32").

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 Cloudaware Framework → 💼 Public and Anonymous Access			69