Microsoft AzureOverview
Virtual Machine Disks and snapshots can be configured to allow access from different network resources.
Rationale
In many cases, the setting 'Enable public access from all networks' is overly permissive on Virtual Machine Disks and presents atypical attack, data infiltration, and data exfiltration vectors. If a disk-to-network connection is required, the preferred setting is 'Disable public access and enable private access.'
Impact
The setting 'Disable public access and enable private access' will require configuring a private link (URL in references below).
Disable public and private access is the most secure and preferred setting where disk network access is unnecessary.
Remediation guidance
Remediate from Azure Portal
Part A. Select the Virtual Machine to Remediate
- Using the search bar, search for and open the
Virtual Machinesservice. - Click on the name of the Virtual Machine to be remediated.
Part B. Remediate each Virtual Machine Disk individually
- From the selected Virtual Machine resource window, expand the
Settingsmenu item and clickDisks. - For each disk, click the name of the disk to open the disk resource window.
- From the selected Disk resource window, expand the
Settingsmenu item, and clickNetworking.
Under Network access, select the radio button for either:
- Disable public access and enable private access
- Disable public and private access
Repeat Part B for each Disk attached to a VM.
Repeat Parts A and B to remediate all Disks in all VMs.
Remediate from PowerShell
To disable PublicNetworkAccess and to set a DenyAll setting for the disk's NetworkAccessPolicy for each managed disk, run the following command:
$disk = Get-AzDisk -ResourceGroupName '<rg_name>' -DiskName '<disk_name>'
$disk.NetworkAccessPolicy = 'DenyAll'
$disk.PublicNetworkAccess = 'Disabled'
Update-AzDisk -ResourceGroup '<rg_name> -DiskName $disk.Name -Disk $disk
To disable PublicNetworkAccess and to set an AllowPrivate setting for the disk's NetworkAccessPolicy for each managed disk, run the following command:
$disk = Get-AzDisk -ResourceGroupName '<rg_name>' -DiskName '<disk_name>'
$disk.NetworkAccessPolicy = 'AllowPrivate'
$disk.PublicNetworkAccess = 'Disabled'
$disk.DiskAccessId = '/subscriptions/<subscription_ID>/resourceGroups/<rg_name>/providers/Microsoft.Compute/diskAccesses/<disk_access_name>
Update-AzDisk -ResourceGroup '<rg_name> -DiskName $disk.Name -Disk $disk
Remediate from Azure CLI
To configure a disk to allow private access only, run the following command, ensuring you have the disk_access_ID from a private disk access endpoint.
az disk update --name <disk_name> --resource-group <rg_name> --network-access-policy AllowPrivate --disk-access <disk_access_ID>
To completely disable public and private access for a disk, run the following command (still in preview) for each disk:
az disk update --name <disk_name> --resource-group <rg_name> --public-network-access Disabled --network-access-policy DenyAll
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
Azure
Use management group or subscription Azure Policy assignments, remediation tasks where supported, landing-zone standards, and IaC modules so drift is prevented at scale.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
Azure Disks allowing public access from all networks
Connectors
Covered asset types
Expected check: eq []
{
disks(where: { networkAccessPolicy: "AllowAll" }) {
...AssetFragment
}
}
