Control: 7.11 Ensure subnets are associated with network security groups
Description
Protect subnet resources by ensuring subnets are associated with network security groups, which can filter inbound and outbound traffic using security rules.
Unprotected subnets can expose resources to unauthorized access.
Remediation
Remediate from Azure Portal
- Go to
Virtual networks. - Click the name of a virtual network.
- Under
Settings, clickSubnets. - Click the name of a subnet.
- Under
Security, next toNetwork security group, click None to display the drop-down menu. - Select a network security group.
- Click
Save. - Repeat steps 1-7 for each virtual network and subnet requiring remediation.
Remediate from Azure CLI
For each subnet requiring remediation, run the following command to associate it with a network security group:
az network vnet subnet update --resource-group <resource-group> --vnet-name <virtual-network> --name <subnet> --network-security-group <network-securitygroup>
Default Value
By default, a subnet is not associated with a network security group.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v500_7_11Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v500_7_11 --shareSQL
This control uses a named query:
select sg.id resource, case when subnets is null then 'alarm' else 'ok' end as status, case when subnets is null then name || ' not associated with subnet.' else name || ' associated with ' || split_part(rtrim((subnet -> 'id') :: text, '"'), '/subnets/',2) || '.' end as reason , sg.resource_group as resource_group , sub.display_name as subscriptionfrom azure_network_security_group as sg left join azure_subscription as sub on sub.subscription_id = sg.subscription_id left join jsonb_array_elements(subnets) as subnet on true;