Azure Security Review

followtushar December 7, 2022 0

The Most Important Element of Azure security is that you don’t leave any loose ends in your environment.

This script will check for unassigned Network Security Groups (NSGs), open ports on NSGs, unsecured storage accounts, and unsecured access keys. 

# Import Azure PowerShell module
Import-Module AzureRM

# Connect to Azure subscription
Connect-AzureRmAccount

# Define the Azure subscription to use
$subscriptionId = "your_subscription_id"
Select-AzureRmSubscription -SubscriptionId $subscriptionId

# Check for unassigned network security groups (NSGs)
Write-Output "Checking for unassigned NSGs..."
$unassignedNSGs = Get-AzureRmNetworkSecurityGroup | Where-Object {-not (Get-AzureRmNetworkSecurityGroupAssociation -NetworkSecurityGroup $PSItem)}
if ($unassignedNSGs) {
    Write-Output "Unassigned NSGs found:"
    $unassignedNSGs | Select-Object Name, ResourceGroupName
} else {
    Write-Output "No unassigned NSGs found."
}

# Check for open ports on NSGs
Write-Output "Checking for open ports on NSGs..."
$openPorts = Get-AzureRmNetworkSecurityGroup | Get-AzureRmNetworkSecurityRuleConfig | Where-Object {$PSItem.Access -eq "Allow" -and $PSItem.Direction -eq "Inbound" -and $PSItem.Priority -lt 65000 -and ($PSItem.SourceAddressPrefix -eq "*" -or $PSItem.SourcePortRange -eq "*")}
if ($openPorts) {
    Write-Output "Open ports found:"
    $openPorts | Select-Object Name, Priority, Access, Direction, SourceAddressPrefix, DestinationAddressPrefix, SourcePortRange, DestinationPortRange
} else {
    Write-Output "No open ports found."
}

#Check for unsecured storage accounts
Write-Output "Checking for unsecured storage accounts..."
$storageAccounts = Get-AzureRmStorageAccount
foreach ($storageAccount in $storageAccounts) {
    $keys = Get-AzureRmStorageAccountKey -StorageAccountName $storageAccount.StorageAccountName
    if ($keys.Value[0].Permission -ne "Full" -or $keys.Value[1].Permission -ne "Full") {
        Write-Output "Unsecured storage account found:"
        $storageAccount | Select-Object StorageAccountName, ResourceGroupName
    }
}

#Check for unsecured access keys
Write-Output "Checking for unsecured access keys..."
$accessKeys = Get-AzureRmStorageAccountKey -StorageAccountName $storageAccount.StorageAccountName
foreach ($key in $accessKeys.Value) {
    if ($key.Permission -ne "Full") {
        Write-Output "Unsecured access key found:"
        $key | Select-Object KeyName, Permission
    }
}

You can customize the script to check for other security issues as well.

More Stories

Azure Spring Clean 2024: Entra Global Access

followtushar March 9, 2024 0

This operation is not permitted because the blob has snapshots.

followtushar February 10, 2024 0

Deploy Azure Bastion – Developer SKU

followtushar November 2, 2023 0

Leave a Reply

Your email address will not be published. Required fields are marked *

You may have missed

Azure Spring Clean 2024: Entra Global Access

followtushar March 9, 2024 0

This operation is not permitted because the blob has snapshots.

followtushar February 10, 2024 0

Deploy Azure Bastion – Developer SKU

followtushar November 2, 2023 0

Entra Global Access: Security Service Edge

followtushar October 21, 2023 0

Common Issue While Setting up TDE with Azure Key Vault

followtushar October 1, 2023 0