last sync: 2020-Jul-03 15:47:34 UTC

Azure Policy

SSH access from the Internet should be blocked

Policy DisplayName SSH access from the Internet should be blocked
Policy Id 2c89a2e5-7285-40fe-afe0-ae8654b92fab
Policy Category Network
Policy Description This policy audits any network security rule that allows SSH access from Internet
Policy Mode All
Policy Type BuiltIn
Policy in Preview FALSE
Policy Deprecated FALSE
Policy Effect Default: Audit
Allowed: (Audit,Disabled)
Roles used none
Policy Changes
Date/Time (UTC ymd) (i) Change Change detail
2020-01-29 21:53:30 add: Policy 2c89a2e5-7285-40fe-afe0-ae8654b92fab
Used in Policy Initiative(s)
Initiative DisplayName Initiative Id
CIS Microsoft Azure Foundations Benchmark 1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d
Policy Rule
{
  "properties": {
    "displayName": "SSH access from the Internet should be blocked",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy audits any network security rule that allows SSH access from Internet",
    "metadata": {
      "version": "2.0.0",
      "category": "Network"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/networkSecurityGroups/securityRules"
          },
          {
            "allOf": [
              {
                "field": "Microsoft.Network/networkSecurityGroups/securityRules/access",
                "equals": "Allow"
              },
              {
                "field": "Microsoft.Network/networkSecurityGroups/securityRules/direction",
                "equals": "Inbound"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange",
                    "equals": "*"
                  },
                  {
                    "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange",
                    "equals": "22"
                  },
                  {
                  "value": "[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),22),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),22)), 'false')]",
                    "equals": "true"
                  },
                  {
                    "count": {
                    "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]",
                      "where": {
                      "value": "[if(and(not(empty(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')))), contains(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')),'-')), and(lessOrEquals(int(first(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),22),greaterOrEquals(int(last(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),22)) , 'false')]",
                        "equals": "true"
                      }
                    },
                    "greater": 0
                  },
                  {
                    "not": {
                    "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]",
                      "notEquals": "*"
                    }
                  },
                  {
                    "not": {
                    "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]",
                      "notEquals": "22"
                    }
                  }
                ]
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
                    "equals": "*"
                  },
                  {
                    "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
                    "equals": "Internet"
                  },
                  {
                    "not": {
                    "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]",
                      "notEquals": "*"
                    }
                  },
                  {
                    "not": {
                    "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]",
                      "notEquals": "Internet"
                    }
                  }
                ]
              }
            ]
          }
        ]
      },
      "then": {
      "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fab",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "2c89a2e5-7285-40fe-afe0-ae8654b92fab"
}