Ensure no Virtual Machine allow incoming traffic from 0.0.0.0/0 to Known DB-TCP ports

Unrestricted access to instances is an attack vector that should be restricted to prevent common exploits.

Risk Level: High
Cloud Entity: Virtual Machine
CloudGuard Rule ID: D9.AZU.NET.VirtualMachine.TCPdb
Covered by Spectral: No
Category: Compute

GSL LOGIC

VirtualMachine where isPublic=true should not have nics contain [ networkSecurityGroup.inboundSecurityRules contain [protocol in ('TCP','All')] and networkSecurityGroup.inboundSecurityRules contain [ sourceAddressPrefixes contain [ '0.0.0.0/0' ] and destinationAddressPrefixes contain [ '0.0.0.0/0' ]] and networkSecurityGroup.inboundSecurityRules contain [ destinationPortRanges contain [destinationPort in($CloudGuard_Known_DB_TCP_Ports) ] ] ]

REMEDIATION

From Portal

  1. Go to 'Virtual machines' and choose the relevant VM
  2. Select 'Networking' under 'Settings' in the navigation menu
  3. Under 'Inbound port rules' examine for overly permissive rules
  4. Modify the rules accordingly to prevent public access to various TCP ports.

From TF
Please find additional information under references.

From Command Line
Inspect virtual machine NSG rules:

az network nsg show --name NETWORK SECURITY GROUP --resource-group RESOURCE GROUP

Note:Additional command line methods for rule update or creation can be found under the references.

References

  1. https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
  2. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_group
  3. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule
  4. https://docs.microsoft.com/en-us/cli/azure/network/nsg/rule?view=azure-cli-latest

Virtual Machine

Azure Virtual Machines (VM) is one of several types of on-demand, scalable computing resources that Azure offers. Typically, you choose a VM when you need more control over the computing environment than the other choices offer. This article gives you information about what you should consider before you create a VM, how you create it, and how you manage it.

Compliance Frameworks

  • AZU PCI-DSS 4.0
  • Azure CSA CCM v.3.0.1
  • Azure CSA CCM v.4.0.1
  • Azure CloudGuard Best Practices
  • Azure CloudGuard Network Security Alerts
  • Azure CloudGuard SOC2 based on AICPA TSC 2017
  • Azure GDPR Readiness
  • Azure ISO 27001:2013
  • Azure LGPD regulation
  • Azure NIST 800-53 Rev 4
  • Azure NIST CSF v1.1
  • Azure New Zealand Information Security Manual (NZISM) v.3.4
  • Azure PCI-DSS 3.2
  • Azure Security Risk Management
  • CloudGuard Azure All Rules Ruleset