Security Center default policy setting 'Monitor Network Security Groups' is not enabled Affecting Security Center service in Azure
CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00668
- creditSnyk Research Team
Description
This policy setting recommends that network security groups be configured to control inbound and outbound traffic to VMs that have public endpoints.
How to fix?
Set policy_definition_id to /providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c and enforcementMode to Default.
Example Configuration
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2022-06-01",
"name": "allowed",
"location": "[resourceGroup().location]",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"description": "Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface",
"displayName": "Adaptive network hardening recommendations should be applied on internet facing virtual machines",
"enforcementMode": "Default",
"metadata": {},
"parameters": {},
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6"
}
]
}
Set policy_definition_id to /providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6, and set enforce to true or remove the attribute.
Example Configuration
resource "azurerm_subscription_policy_assignment" "allowed1" {
name = "NSG-Monitor1"
policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6"
subscription_id = data.azurerm_subscription.current.id
display_name = "Adaptive network hardening recommendations should be applied on internet facing virtual machines"
enforce = true
description = "Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface"
}