This article is contributed. See the original author and article here.
You want to use Just In Time access for Azure VMs, but do not want the users to select all available IPs when requesting the access. Try this policy out to prevent this from happening:
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [{
"field": "type",
"equals": "Microsoft.Network/networkSecurityGroups"
}, {
"count": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*]",
"where": {
"allOf": [{
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix",
"equals": "*"
}, {
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].access",
"equals": "Allow"
}, {
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].direction",
"equals": "Inbound"
}, {
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].name",
"contains": "SecurityCenter-JITRule"
}, {
"anyOf": [{
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange",
"equals": "22"
}, {
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange",
"equals": "3389"
}, {
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges",
"equals": "22"
}, {
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges",
"equals": "3389"
}]
}]
}
},
"greater": 0
}]
},
"then": {
"effect": "deny"
}
},
"parameters": {}
}
More details and comments/issues can be found here: Github: deny-wildcard-source-for-just-in-time-requests
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.
Recent Comments