The Most Important Element of Azure security is that you don’t leave any loose ends in your environment.

This script will check for unassigned Network Security Groups (NSGs), open ports on NSGs, unsecured storage accounts, and unsecured access keys.

# Import Azure PowerShell module
Import-Module AzureRM

# Connect to Azure subscription
Connect-AzureRmAccount

# Define the Azure subscription to use
$subscriptionId = "your_subscription_id"
Select-AzureRmSubscription -SubscriptionId $subscriptionId

# Check for unassigned network security groups (NSGs)
Write-Output "Checking for unassigned NSGs..."
$unassignedNSGs = Get-AzureRmNetworkSecurityGroup | Where-Object {-not (Get-AzureRmNetworkSecurityGroupAssociation -NetworkSecurityGroup $PSItem)}
if ($unassignedNSGs) {
    Write-Output "Unassigned NSGs found:"
    $unassignedNSGs | Select-Object Name, ResourceGroupName
} else {
    Write-Output "No unassigned NSGs found."
}

# Check for open ports on NSGs
Write-Output "Checking for open ports on NSGs..."
$openPorts = Get-AzureRmNetworkSecurityGroup | Get-AzureRmNetworkSecurityRuleConfig | Where-Object {$PSItem.Access -eq "Allow" -and $PSItem.Direction -eq "Inbound" -and $PSItem.Priority -lt 65000 -and ($PSItem.SourceAddressPrefix -eq "*" -or $PSItem.SourcePortRange -eq "*")}
if ($openPorts) {
    Write-Output "Open ports found:"
    $openPorts | Select-Object Name, Priority, Access, Direction, SourceAddressPrefix, DestinationAddressPrefix, SourcePortRange, DestinationPortRange
} else {
    Write-Output "No open ports found."
}

#Check for unsecured storage accounts
Write-Output "Checking for unsecured storage accounts..."
$storageAccounts = Get-AzureRmStorageAccount
foreach ($storageAccount in $storageAccounts) {
    $keys = Get-AzureRmStorageAccountKey -StorageAccountName $storageAccount.StorageAccountName
    if ($keys.Value[0].Permission -ne "Full" -or $keys.Value[1].Permission -ne "Full") {
        Write-Output "Unsecured storage account found:"
        $storageAccount | Select-Object StorageAccountName, ResourceGroupName
    }
}

#Check for unsecured access keys
Write-Output "Checking for unsecured access keys..."
$accessKeys = Get-AzureRmStorageAccountKey -StorageAccountName $storageAccount.StorageAccountName
foreach ($key in $accessKeys.Value) {
    if ($key.Permission -ne "Full") {
        Write-Output "Unsecured access key found:"
        $key | Select-Object KeyName, Permission
    }
}

You can customize the script to check for other security issues as well.

Leave a Reply

Your email address will not be published. Required fields are marked *