rules/findings/azure/container_instances/azure-container-instances-private-network-disabled.json
|
{
"args": [], "provider": "Azure", "serviceType": "Container Instances", "serviceName": "Compute", "displayName": "Ensure Private Virtual Networks are used for Container Instances", "description": "Private Virtual Networks (vNets) ensure that services and hosts within the subscription environment are appropriately segmented in private subnets. Public IP addressing for container instances should be handled through a NAT gateway and/or Firewall. In addition to the use of a private vNet for container instances, ensure that a Network Security Group (NSG) is configured and applied to your container instance vNet. The NSG will need to be configured with inbound and outbound TCP/UDP traffic rules which reflect the needs of the services running in your container instance.", "rationale": "Network segmentation reduces threat surface and limits potential lateral movement in the case of breach. Container instances with Public IP addresses present significant threat surface and should be avoided.", "impact": "A well-architected Cloud network will require documentation and consideration for subnetting. The use of vNets and NSGs have a minimal impact on cost, but the use of Firewalls and public-facing gateways will increase that cost.", "remediation": { "text": "Container Instances which have been created with Public IP addresses will need to be re-created with private IP addresses. During the initial creation of a Container Instance, ensure that the Networking Type of `Private` is selected prior to creating the Container Instance.", "code": { "powerShell": null, "iac": null, "terraform": null, "other": null } }, "recommendation": null, "references": [ "https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/container-instances-security-baseline", "https://learn.microsoft.com/en-us/azure/container-instances/container-instances-vnet" ], "compliance": [ { "name": "CIS Microsoft Azure Foundations", "version": "2.0.0", "reference": "3.1", "profile": [ "Level 1" ] } ], "level": "medium", "tags": [], "rule": { "path": "az_containers", "subPath": null, "selectCondition": {}, "query": [ { "filter": [ { "conditions": [ [ "properties.ipAddress.type", "ne", "Private" ] ] } ] } ], "shouldExist": null, "returnObject": null, "removeIfNotExists": null }, "output": { "html": { "data": { "properties": { "name": "Name", "location": "Location", "properties.ipAddress.ip": "IP", "properties.ipAddress.type": "Type" }, "expandObject": null }, "table": "default", "decorate": [], "emphasis": [], "actions": { "objectData": { "properties": [], "expandObject": null, "limit": null }, "showGoToButton": "True", "showModalButton": "True", "directLink": null } }, "text": { "data": { "properties": { "name": "Name", "location": "Location", "properties.ipAddress.ip": "IP", "properties.ipAddress.type": "Type" }, "expandObject": null }, "status": { "keyName": ["name"], "message": "Ensure Private Virtual Networks are used for {name} Container Instance", "defaultMessage": null }, "properties": { "resourceName": "name", "resourceId": "id", "resourceType": "type" }, "onlyStatus": false } }, "idSuffix": "azure_container_registry_lacks_vnet_integration", "notes": [], "categories": [], "immutable_properties": [ "name", "id" ], "id": "azure_container_003" } |