Azure Policy- Prevent The Use Of Wildcard For Source In Azure Just In Time

Published Oct 15 2020 12:11 PM 1,935 Views
Microsoft

You want to use Just In Time access for Azure VMs, but do not want the users to select all available IPs when requesting the access. Try this policy out to prevent this from happening:

 

 

 

{
    "mode": "All",
    "policyRule": {
        "if": {
            "allOf": [{
                "field": "type",
                "equals": "Microsoft.Network/networkSecurityGroups"
            }, {
                "count": {
                    "field": "Microsoft.Network/networkSecurityGroups/securityRules[*]",
                    "where": {
                        "allOf": [{
                            "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix",
                            "equals": "*"
                        }, {
                            "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].access",
                            "equals": "Allow"
                        }, {
                            "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].direction",
                            "equals": "Inbound"
                        }, {
                            "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].name",
                            "contains": "SecurityCenter-JITRule"
                        }, {
                            "anyOf": [{
                                "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange",
                                "equals": "22"
                            }, {
                                "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange",
                                "equals": "3389"
                            }, {
                                "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges",
                                "equals": "22"
                            }, {
                                "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges",
                                "equals": "3389"
                            }]
                        }]
                    }
                },
                "greater": 0
            }]
        },
        "then": {
            "effect": "deny"
        }
    },
    "parameters": {}
}

 

 

More details and comments/issues can be found here: Github: deny-wildcard-source-for-just-in-time-requests 

image.png

Version history
Last update:
‎Oct 15 2020 11:46 AM
Updated by: