Ensure that Just-in-Time (JIT) access is enabled for your Azure virtual machines (VMs) in order to allow you to lock down inbound traffic to your VMs and reduce exposure to attacks while providing easy SSH/RDP access when needed.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
Microsoft Azure Security Center provides multiple threat prevention instruments to help you reduce surface areas susceptible to attacks such as brute-force and DDoS attacks. One of those instrument is Just-in-Time (JIT) access to virtual machines. JIT access feature enables you to lock down your virtual machines at the network level by blocking inbound traffic to management ports such as 22 (SSH) and 3389 (RDP). Once the feature is enabled for your VMs, you can create a policy that determines the ports to be protected, how long ports remain open, and the approved IP addresses from where these ports can be accessed. This allows you to control the access and reduce the attack surface to your virtual machines, by allowing access only upon a specific need.
Note: Just-in-Time (JIT) access feature is available as part of the Azure Security Center standard tier.
Audit
To determine if your Azure virtual machines are configured to use Just-in-Time access, perform the following actions:
Remediation / Resolution
To enable Just-in-Time (JIT) network access for your Microsoft Azure virtual machines, perform the following actions:
Note 1: To be able to use JIT access feature for your VMs, you need to ensure that Security Center standard pricing tier is enabled within your Azure account subscription. If the Security Center standard pricing tier is not enabled, follow the steps outlined in this conformity rule to activate the standard tier.Note 2: As example, this conformity rule will demonstrate how to enable and configure JIT network access on port 22 (SSH) for a Linux VM instance.
Note 3: Enabling Just-in-Time (JIT) network access for Microsoft Azure virtual machines using Azure Command Line Interface (CLI) is not currently supported, the feature can be enabled and configured only with Azure Management Console (Azure Portal).
References
- Azure Official Documentation
- What is Azure Security Center?
- Secure your management ports with just-in-time access
- Azure Command Line Interface (CLI) Documentation:
- az vm list
- az security jit-policy list