Azure Policy- Prevent The Use Of Wildcard For Source In Azure Just In Time

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.

You want to use Just In Time access for Azure VMs, but do not want the users to select all available IPs when requesting the access. Try this policy out to prevent this from happening:

 

 

 

{ "mode": "All", "policyRule": { "if": { "allOf": [{ "field": "type", "equals": "Microsoft.Network/networkSecurityGroups" }, { "count": { "field": "Microsoft.Network/networkSecurityGroups/securityRules[*]", "where": { "allOf": [{ "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix", "equals": "*" }, { "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].access", "equals": "Allow" }, { "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].direction", "equals": "Inbound" }, { "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].name", "contains": "SecurityCenter-JITRule" }, { "anyOf": [{ "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange", "equals": "22" }, { "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange", "equals": "3389" }, { "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges", "equals": "22" }, { "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges", "equals": "3389" }] }] } }, "greater": 0 }] }, "then": { "effect": "deny" } }, "parameters": {} }

 

 

More details and comments/issues can be found here: Github: deny-wildcard-source-for-just-in-time-requests 

image.png

REMEMBER: these articles are REPUBLISHED. Your best bet to get a reply is to follow the link at the top of the post to the ORIGINAL post! BUT you're more than welcome to start discussions here:

This site uses Akismet to reduce spam. Learn how your comment data is processed.