Security Center default policy setting 'Monitor Network Security Groups' is not enabled Affecting Security Center service in Azure
Severity Framework
Snyk CCSS
Rule category
Monitoring / Network
Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
CIS-Azure
HIPAA
NIST-800-53
SOC-2
- Snyk ID SNYK-CC-00668
- credit Snyk Research Team
Description
This policy setting recommends that network security groups be configured to control inbound and outbound traffic to VMs that have public endpoints.
How to fix?
Set policy_definition_id to /providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c and enforcementMode to Default.
Example Configuration
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2022-06-01",
"name": "allowed",
"location": "[resourceGroup().location]",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"description": "Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface",
"displayName": "Adaptive network hardening recommendations should be applied on internet facing virtual machines",
"enforcementMode": "Default",
"metadata": {},
"parameters": {},
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6"
}
]
}