Ensure remote debugging has been disabled for your production Azure Functions

Ensure that your Azure App Services web applications have remote debugging disabled in order to enhance security and protect the applications from unauthorized access. Remote Debugging feature is available for web applications (e.g. ASP.NET, ASP.NET Core, Node.js, Python).

Risk Level: Low
Cloud Entity: Azure functions
CloudGuard Rule ID: D9.AZU.CRY.28
Covered by Spectral: No
Category: Compute

GSL LOGIC

FunctionApp should not have config.remoteDebuggingEnabled=true

REMEDIATION

From Portal

  1. Sign on to Azure portal and navigate to 'Function App'
  2. Click on the name of the Function App service web you want to examine
  3. In the navigation panel,under Settings, select 'Configuration'
  4. In the 'General Settings' turn off 'Remote debugging' under 'Debugging' section.
  5. Click Save.

From TF
Set the 'remote_debugging_enabled' argument to 'false':

resource "azurerm_function_app" "example" {
	....
	site_config {
		....
		remote_debugging_enabled          = false
		....
	}
	....
}

From Command Line
Set Remote Debugging to False via Azure CLI:

az functionapp config set --resource-group RESOURCEGROUP --name NAME --remote-debugging-enabled false

References

  1. https://learn.microsoft.com/en-us/azure/app-service/configure-common?tabs=portal#configure-general-settings
  2. https://docs.microsoft.com/en-us/cli/azure/functionapp/config?view=azure-cli-latest
  3. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/windows_function_app#remote_debugging_enabled

Azure functions

Azure Functions is a serverless solution that allows you to write less code, maintain less infrastructure, and save on costs. Instead of worrying about deploying and maintaining servers, the cloud infrastructure provides all the up-to-date resources needed to keep your applications running.

Compliance Frameworks

  • Azure CloudGuard Best Practices
  • Azure HITRUST v9.5.0
  • Azure ITSG-33
  • CloudGuard Azure All Rules Ruleset