所有网络端口限制在具有 dev 标签的网络安全组上
Posted
技术标签:
【中文标题】所有网络端口限制在具有 dev 标签的网络安全组上【英文标题】:All network port restricted on network security group which have dev Tag 【发布时间】:2021-09-13 16:52:42 【问题描述】:我正在根据我的要求创建自定义策略,我想要定义策略,其中“所有 网络端口 应限制在具有 的 网络安全组 dev 的标记。
错误: 无法解析策略规则:“在“LeafExpressionDefinition”类型的对象上找不到成员“退出”。路径“退出”。'。
Azure 策略定义中有两个内置策略:
所有网络端口都应限制在与您的虚拟机关联的网络安全组中。 链接https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2f9daedab3-fb2d-461e-b861-71790eead4f6
需要对资源组进行标记。 链接https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F871b6d14-10aa-478d-b590-94f262ecfa99
我结合并更新了我的需求,你可以查看创建的自定义策略,我认为一切正常。
"properties":
"displayName": "All network ports should be restricted on network security groups associated to your virtual machine",
"policyType":"Indexed",
"mode": "All",
"description": "Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.",
"metadata":
"version": "3.0.0",
"category": "Security Center"
,
"parameters":
"effect":
"type": "String",
"metadata":
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
,
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
,
"tagName":
"type": "String",
"metadata":
"displayName": "dev",
"description": "Name of the tag, such as 'develpment'"
,
"policyRule":
"if":
"allOf": [
"field":"Microsoft.Network/networkInterfaces/networkSecurityGroup.id",
"exits": "true"
,
"field": "[concat('tags[', parameters('dev'), ']')]",
"Equals": "[parameters('tagValue')]"
]
,
"then":
"effect": "[parameters('effect')]",
"details":
"type": "Microsoft.Security/assessments",
"name": "3b20e985-f71f-483b-b078-f30d73936d43",
"existenceCondition":
"field": "Microsoft.Security/assessments/status.code",
"in": [
"NotApplicable",
"Healthy"
]
,
"id": "/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "9daedab3-fb2d-461e-b861-71790eead4f6"
【问题讨论】:
我为这个问题制定了解决方案,阻止网络安全组或订阅级别范围内的所有端口。 【参考方案1】:我为这个问题制定了解决方案,阻止网络安全组或订阅级别范围内的所有端口。但是需要设置端口值“*”来阻止所有,您可以阻止任何端口,只需在端口参数中输入您需要的端口号即可。
"mode": "all",
"policyRule":
"if":
"allOf": [
"field": "type",
"equals": "Microsoft.Network/networkSecurityGroups/securityRules"
,
"allOf": [
"field": "Microsoft.Network/networkSecurityGroups/securityRules/access",
"equals": "Allow"
,
"field": "Microsoft.Network/networkSecurityGroups/securityRules/direction",
"equals": "Inbound"
,
"anyOf": [
"field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange",
"in": "[parameters('deniedPorts')]"
,
"not":
"field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]",
"notIn": "[parameters('deniedPorts')]"
]
,
"anyOf": [
"field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
"in": [
"*",
"Internet"
]
]
]
]
,
"then":
"effect": "audit"
,
"parameters":
"deniedPorts":
"type": "Array",
"metadata":
"displayName": "Ports to block",
"description": "The inbound ports that should be blocked"
【讨论】:
【参考方案2】:-
您似乎在“exists”--“exits”-->“exists”中有错字
我认为您无法根据依赖于评估代码(“字段”:“Microsoft.Security/assessments/status.code”)的内置安全中心策略创建自定义策略。这些由内部 API 实现,因此无法复制以进行自定义。
【讨论】:
我为这个问题制定了解决方案,阻止网络安全组或订阅级别范围内的所有端口。但是需要将端口值“*”设置为全部阻止,您可以阻止任何端口,只需在端口参数中输入所需的端口号即可,@user7453088以上是关于所有网络端口限制在具有 dev 标签的网络安全组上的主要内容,如果未能解决你的问题,请参考以下文章
我在 ec2 安全组上添加了端口 8080,但 8080 不在监听列表中