Overly permissive NSG Inbound rule to all traffic on TCP protocol
Ensure to keep the least privilege principle and limit the scope of the NSG Inbound rule over the TCP protocol.
Risk Level: High
Cloud Entity: Network security group
CloudGuard Rule ID: D9.AZU.NET.56
Covered by Spectral: Yes
Category: Networking & Content Delivery
GSL LOGIC
NetworkSecurityGroup should not have inboundSecurityRules contain [ protocol in('TCP', 'All') and sourceAddressPrefixes contain [ '0.0.0.0/0' ] and action='ALLOW']
REMEDIATION
Azure Console:
- Navigate to the 'All services'
- Navigate to the Networking, and select 'Network security groups'
- Select the Network security group to be modified
- Under Settings, select 'Inbound security rules'
- Select the rule to be modified and edit it to allow only specific IP addresses or protocols
From TF
resource "azurerm_network_security_group" "test" {
security_rule {
- protocol = "Tcp"
- access = "Allow"
- source_port_range = "*"
}
}
References
https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices
Network security group
You can filter network traffic to and from Azure resources in an Azure virtual network with a network security group. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.
Compliance Frameworks
- Azure CSA CCM v.4.0.1
- Azure CloudGuard Best Practices
- Azure NIST 800-53 Rev 5
- CloudGuard Azure All Rules Ruleset
Updated about 1 year ago