module/ConfigurationProvider/ControlConfigurations/Services/Bastion.json
|
{
"FeatureName": "Bastion", "Reference": "", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_Bastion_AuthZ_Disable_Shareable_Link", "Description": "Azure Bastion Shareable links must not be used.", "Id": "Bastion100", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckShareableLink", "DisplayName": "Azure Bastion Shareable links must not be used.", "Category": "Least privilege access to subscription and resources", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "The Bastion Shareable link lets users with local credentials to bypass primary authentication to Azure, MFA requirements and Network Segmentation by allowing direct connectivity to VMs using the link provided. Compromise of such VMs causes a lateral movement risk for any other assets in the same Vnet.", "Recommendation": "To delete all the shareable links: Go to Azure Portal --> Select your Bastion --> Settings blade --> 'Shareable links' --> select all the VMs with links --> Click 'Delete' and to disable shareable link flag: Select your Bastion --> Settings blade --> Configuration --> Uncheck 'Shareable Link' option --> Click 'Apply'.", "Tags": [ "SDL", "Automated", "AuthZ", "Bastion", "Baseline" ], "Enabled": true, "ControlSettings": { "AllowedSKUs": [ "Standard" ] }, "CustomTags": [ "Daily", "Preview", "TenantBaseline", "MSD", "TBv9", "CAIPreview", "EDPreview", "SMTPreview", "SN:Bastion_Shareable_Links" ] } ] } |