Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
16Dashboards
1651Benchmarks
486Queries
8Variables
GitHub

Control: 7.9 Ensure 'Authentication type' is set to 'Azure Active Directory' only for Azure VPN Gateway point-to-site configuration

Description

Enable only 'Azure Active Directory' (Microsoft Entra ID) authentication for Azure VPN Gateway point-to-site connections.

Microsoft Entra ID authentication provides strong security and centralized identity management, and reduces risks associated with static credentials and certificate management.

Remediation

Remediate from Azure Portal

  1. Go to Virtual network gateways.
  2. Under VPN gateway, click VPN gateways.
  3. Click the name of a VPN gateway.
  4. Under Settings, click Point-to-site configuration.
  5. Ensure Authentication type click to expand the drop-down menu.
  6. Check the box next to Azure Active Directory, and uncheck the boxes next to Azure certificate and RADIUS authentication.
  7. Provide a Tenant, Audience, and Issuer for the Azure Active Directory configuration.
  8. Click Save.
  9. Repeat steps 1-8 for each VPN gateway requiring remediation.

Default Value

'Authentication type' is selected during creation of point-to-site configuration.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v500_7_9

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v500_7_9 --share

SQL

This control uses a named query:

select
  g.id as resource,
  case
    when vpn_client_configuration -> 'vpnAuthenticationTypes' @> '["AAD"]'::jsonb and jsonb_array_length(vpn_client_configuration -> 'vpnAuthenticationTypes') = 1 then 'ok'
    when jsonb_array_length(vpn_client_configuration -> 'vpnAuthenticationTypes') < 1 then 'skip'
    else 'alarm'
  end as status,
  case
    when vpn_client_configuration -> 'vpnAuthenticationTypes' @> '["AAD"]'::jsonb
     and jsonb_array_length(vpn_client_configuration -> 'vpnAuthenticationTypes') = 1 then g.name || ' VPN authentication type is set to only Azure Active Directory.'
    when jsonb_array_length(vpn_client_configuration -> 'vpnAuthenticationTypes') < 1 then g.name || ' has no point-to-site configuration defined.'
    else g.name || ' VPN authentication type is not restricted to only Azure Active Directory.'
  end as reason
  
  , g.resource_group as resource_group
  , sub.display_name as subscription
from
  azure_virtual_network_gateway as g
  left join azure_subscription as sub on g.subscription_id = sub.subscription_id;

Tags

category = Compliance
cis = true
cis_item_id = 7.9
cis_level = 2
cis_section_id = 7
cis_type = manual
cis_version = v5.0.0
plugin = azure
service = Azure/Network