Ensure no Virtual Machine allow incoming traffic from 0.0.0.0/0 to Known UDP ports
Unrestricted access to instances is an attack vector that should be restricted to prevent common exploits.
Risk Level: Medium
Cloud Entity: Virtual Machine
CloudGuard Rule ID: D9.AZU.NET.VirtualMachine.UDP
Covered by Spectral: No
Category: Compute
GSL LOGIC
VirtualMachine where isPublic=true should not have nics contain [ networkSecurityGroup.inboundSecurityRules contain [protocol in ('UDP','All')] and networkSecurityGroup.inboundSecurityRules contain [ sourceAddressPrefixes contain [ '0.0.0.0/0' ] and destinationAddressPrefixes contain [ '0.0.0.0/0' ]] and networkSecurityGroup.inboundSecurityRules contain [ destinationPortRanges contain [destinationPort in($CloudGuard_Known_UDP_Ports) ] ] ]
REMEDIATION
From Portal
- Go to 'Virtual machines' and choose the relevant VM
- Select 'Networking' under 'Settings' in the navigation menu
- Under 'Inbound port rules' examine for overly permissive rules
- Modify the rules accordingly to prevent public access to various UDP ports.
From TF
Please find additional information under references.
From Command Line
Inspect virtual machine NSG rules:
az network nsg show --name NETWORK SECURITY GROUP --resource-group RESOURCE GROUP
Note:Additional command line methods for rule update or creation can be found under the references.
References
- https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_group
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule
- https://docs.microsoft.com/en-us/cli/azure/network/nsg/rule?view=azure-cli-latest
Virtual Machine
Azure Virtual Machines (VM) is one of several types of on-demand, scalable computing resources that Azure offers. Typically, you choose a VM when you need more control over the computing environment than the other choices offer. This article gives you information about what you should consider before you create a VM, how you create it, and how you manage it.
Compliance Frameworks
- AZU PCI-DSS 4.0
- Azure CIS Foundations v. 1.5.0
- Azure CIS Foundations v.2.0
- Azure CSA CCM v.3.0.1
- Azure CSA CCM v.4.0.1
- Azure CloudGuard Best Practices
- Azure CloudGuard Network Security Alerts
- Azure CloudGuard SOC2 based on AICPA TSC 2017
- Azure GDPR Readiness
- Azure ISO 27001:2013
- Azure LGPD regulation
- Azure NIST 800-53 Rev 4
- Azure NIST CSF v1.1
- Azure New Zealand Information Security Manual (NZISM) v.3.4
- Azure PCI-DSS 3.2
- Azure Security Risk Management
- CloudGuard Azure All Rules Ruleset
Updated over 1 year ago