Detections
Analytics

Ensure that request initiated from all ports (*) for all destination ports (*) is restricted from the internet for Azure Network Security Rule

HIGH

Description

Network security groups that allow traffic from all external ports to all internal ports could pose a risk to a customer's cloud environment. Having strong boundary protection is the first line of defense for any infrastructure, so it is advisable to remove Inbound rules that allow access to all destination ports as a first step. It is considered best practice to allow only necessary traffic when configuring firewall rules.

Remediation

In Azure Console -

  1. Open the Azure Portal and go to Network Security Groups.
  2. Choose the security group to edit, then select Inbound security rules.
  3. Remove rules that may have Any listed for Port, Source, and Destination.
  4. Use the Add button to add replacement security rules, ensuring to specify the destination port to something other than * at a minimum.

In Terraform -

  1. For each azurerm_network_security_group resource, ensure there is a azurerm_network_security_rule resource.
  2. In the azurerm_network_security_rule resource, set the value of 'access' to [allow | deny].
  3. Set the value of 'direction' to 'inbound'.
  4. Set the value of 'source_address_prefix' to an IP address or a range of IP addresses.
  5. Set the remaining fields as needed, ensuring to specify the destination_port_range field to something other than * at a minimum.

References:
https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_group
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule

Policy Details

Rule Reference ID: AC_AZURE_0231
CSP: Azure
Remediation Available: Yes
Domain: Infrastructure Security
Resource: azurerm_network_security_rule
Resource Category: Virtual Network
Resource Type: Security Group

Frameworks