Azure policy to audit publicly accessible web applications within subscription

Question

Azure policy to audit publicly accessible web applications within subscription

AzDev 41

Hi All, I am implementing an Azure policy to audit all publicly accessible web apps within my subscription. I don't think there is any built-in policy for this requirement; so I came up with below policy to check if ipSecurityRestrications exists or not for web apps but it doesn't seem working correctly. Also there could be multiple ways to restrict web apps access e.g. using vnet integration, front door, private endpoint etc.

{
    "mode": "All",
    "policyRule": {
        "if": {
            "allOf": [
                {
                    "field": "type",
                    "equals": "Microsoft.Web/sites"
                },
                {
                    "field": "Microsoft.Web/sites/siteConfig.ipSecurityRestrictions",
                    "exists": "false"
                },
                {
                    "field": "kind",
                    "equals": "app"
                }
            ]
        },
        "then": {
            "effect": "audit"
        }
    }
}

Could you please suggest best approach to implement Azure policy for this requirement?

SwathiDhanwada-MSFT 9,566 Reputation points

2020-12-22T16:40:57.53+00:00

@AzDev Did you get chance to look into my comment? Kindly revert if you have further questions.
SwathiDhanwada-MSFT 9,566 Reputation points

2020-12-23T19:15:37.087+00:00

@AzDev Hope the information provided is helpful. Kindly revert if you have further questions.

SwathiDhanwada-MSFT 9,566 Reputation points

2020-12-22T16:40:57.53+00:00

@AzDev Did you get chance to look into my comment? Kindly revert if you have further questions.
SwathiDhanwada-MSFT 9,566 Reputation points

2020-12-23T19:15:37.087+00:00

@AzDev Hope the information provided is helpful. Kindly revert if you have further questions.

Answer 1

@AzDev Welcome to Microsoft Q & A Community Forum. Here is an sample of Azure policy definition which audits app service ipsecurityRestrictions. Kindly check if it helps you.

{  
"mode": "All",  
"parameters": {  
      "effect": {  
        "type": "String",  
        "metadata": {  
          "displayName": "Effect",  
          "description": "Enable or disable the execution of the policy"  
        },  
        "allowedValues": [  
          "AuditIfNotExists",  
          "Disabled"  
        ],  
        "defaultValue": "AuditIfNotExists"  
      }  
    },  
    "policyRule": {  
      "if": {  
        "allOf": [  
          {  
            "field": "type",  
            "equals": "Microsoft.Web/sites"  
          },  
          {  
            "field": "kind",  
            "like": "app*"  
          }  
        ]  
      },  
      "then": {  
        "effect": "[parameters('effect')]",  
        "details": {  
          "type": "Microsoft.Web/sites/config",  
          "name": "web",  
          "existenceCondition": {  
            "field": "Microsoft.Web/sites/config/web.ipSecurityRestrictions[*].ipAddress",  
            "in": [  
              "0.0.0.0/32",  
              "Any"  
            ]  
          }  
        }  
      }  
    }  
	  
	}

AzDev 41 Reputation points

2021-01-06T17:50:54.607+00:00

Thanks @SwathiDhanwada-MSFT , it helped. By default Azure web apps are publicly accessible with default firewall rule "Allow All" and if we add any firewall rule to restrict access to Web Apps from any IP(s) then a "Deny All" firewall rule with priority 2147483647 gets added automatically. As an additional check absence of this firewall rule indicates web app is publicly accessible.

Azure policy to audit publicly accessible web applications within subscription

0 additional answers

Activity