Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
16Dashboards
1651Benchmarks
486Queries
8Variables
GitHub

Control: 7.16 Ensure Azure Network Security Perimeter is used to secure Azure platform-as-a-service resources

Description

Azure Network Security Perimeter creates a logical boundary around Azure platform-asa-service (PaaS) resources outside of virtual networks. By default, the network security perimeter denies public access to associated PaaS resources, with the ability to define explicit rules for inbound and outbound traffic.

While an automated assessment procedure exists for this recommendation, the assessment status remains manual. Determining appropriate network security perimeter profiles and resource assignments depends on the context and requirements of each organization and environment.

Network security perimeter denies public access to PaaS resources, reducing exposure and mitigating data exfiltration risks.

Remediation

Remediate from Azure Portal

Create and associate PaaS resources with a new network security perimeter:

  1. Go to Network Security Perimeters.
  2. Click + Create.
  3. Select a Subscription and Resource group, provide a Name, select a Region, and provide a Profile name.
  4. Click Next.
  5. Click + Add.
  6. Check the box next to a PaaS resource to associate it with the network security perimeter.
  7. Click Select.
  8. Click Next.
  9. Configure appropriate Inbound access rules for your organization.
  10. Click Next.
  11. Configure appropriate Outbound access rules for your organization.
  12. Click Review + create.
  13. Click Create.

Associate PaaS resources with an existing network security perimeter:

  1. Go to Network Security Perimeters.
  2. Click the name of a network security perimeter.
  3. Under Settings, click Associated resources.
  4. Click + Add.
  5. Select Associate resources with a new profile or Associate resources with an existing profile.
  6. To associate resources with a new profile:
    1. Provide a Name.
    2. Click Next.
    3. Click + Add.
    4. Check the box next to a PaaS resource to associate it with the network security perimeter.
    5. Click Select.
    6. Click Next.
    7. Configure appropriate Inbound access rules for your organization.
    8. Click Next.
    9. Configure appropriate Outbound access rules for your organization.
    10. Click Review + create.
    11. Click Create.
  7. To associate resources with an existing profile:
    1. Next to Profile, click Select to display the drop-down menu.
    2. Select a profile.
    3. Click + Add.
    4. Check the box next to a PaaS resource to associate it with the network security perimeter.
    5. Click Select.
    6. Click Associate.

Remediate from Azure CLI

Use az network perimeter profile list or az network perimeter profile create to list existing or create a new network security perimeter profile.

For each PaaS resource requiring association with a network security perimeter, run the following command:

az network perimeter association create --resource-group <resource-group> --perimeter-name <network-security-perimeter> --association-name <association> --private-link-resource "{id:<paas-resource-id>}" --profile "{<profile-id>}"

Default Value

PaaS resources are not associated with a network security perimeter by default.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v500_7_16

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v500_7_16 --share

SQL

This control uses a named query:

select
  id as resource,
  'info' as status,
  'Manual verification required.' as reason,
  display_name as subscription
from
  azure_subscription;

Tags

category = Compliance
cis = true
cis_item_id = 7.16
cis_level = 2
cis_section_id = 7
cis_type = manual
cis_version = v5.0.0
plugin = azure
service = Azure/Network