Potential Violation of Azure Security Benchmark #10
Description
Violation: NS4 – Insufficient Network Threat Detection
Location: infra/app/QuoteOfTheDay.bicep
Issue:
The infrastructure lacks any configuration for network threat detection—no NSG flow logs, Azure Network Watcher, or Defender for Cloud Network Protection are enabled. This prevents monitoring of suspicious traffic patterns or potential attacks, leaving the application blind to lateral movement or scanning activity.
Recommendation:
- Enable Microsoft Defender for Cloud’s Network Protection.
- Deploy Azure Network Watcher and configure NSG flow logs to export to a Log Analytics workspace.
- Set up alerts for anomalous traffic patterns or integrate a third-party IDS/IPS solution if needed.
Reference Links:
Violation: NS7 – No Network Security Groups (NSGs)
Location: infra/app/QuoteOfTheDay.bicep
Issue:
The infrastructure does not define any Network Security Groups (NSGs) or subnet-level access controls. As a result, traffic to and from the App Service environment is unrestricted, increasing the risk of unauthorized access and reducing visibility and control over network flows.
Recommendation:
- Define NSGs with least-privilege inbound and outbound rules.
- Associate NSGs with the relevant subnets or network interfaces.
- For broader security management, consider using Azure Firewall Manager or Adaptive Network Hardening from Defender for Cloud.
Reference Links: