Microsoft AzureOverview
Public IP Addresses provide tenant accounts with Internet connectivity for resources contained within the tenant. A public IP address may be created during the creation of certain resources in Azure. All Public IP Addresses within the tenant should be periodically reviewed for accuracy and necessity.
Rationale
Public IP addresses allocated to the tenant should be periodically reviewed if necessary. Public IP Addresses that are not intentionally assigned and controlled present a publicly facing vector for threat actors and significant risk to the tenant.
Default Value
During Virtual Machine and Application creation, a setting may be created, and a public IP may be attached.
Remediation guidance
Azure remediation
This is a manual governance control.
Portal
- Open Public IP addresses in Azure Portal.
- Review each public IP and attached resource.
- Delete unused public IPs.
- For required public IPs, enforce restrictive NSG rules.
Azure CLI
az network public-ip list --query "[].{name:name,resourceGroup:resourceGroup,ipAddress:ipAddress,sku:sku.name}" -o table
az network public-ip delete --resource-group <resource-group> --name <public-ip-name>
References
- https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses
- https://learn.microsoft.com/en-us/cli/azure/network/public-ip?view=azure-cli-latest
Multiple Remediation Paths
Azure
SERVICE-WIDE (RECOMMENDED when many resources are affected): Assign Azure Policy initiatives at management group/subscription scope and trigger remediation tasks.
az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>
ASSET-LEVEL: Apply the resource-specific remediation steps above to the listed non-compliant resources.
PREVENTIVE: Embed Azure Policy checks into landing zones and IaC workflows to block or auto-remediate drift.
References for Service-Wide Patterns
- Azure Policy overview: https://learn.microsoft.com/en-us/azure/governance/policy/overview
- Azure Policy remediation: https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources
- Azure Policy initiative structure: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/initiative-definition-structure
Operational Rollout Workflow
Use this sequence to reduce risk and avoid repeated drift.
1. Contain at Service-Wide Scope First (Recommended)
- Azure: assign policy initiatives at management group/subscription scope and run remediation tasks.
az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>
2. Remediate Existing Affected Assets
- Execute the control-specific Console/CLI steps documented above for each flagged resource.
- Prioritize internet-exposed and production assets first.
3. Validate and Prevent Recurrence
- Re-scan after each remediation batch.
- Track exceptions with owner and expiry date.
- Add preventive checks in IaC/CI pipelines.
Query logic
These are the stored checks tied to this control.
Azure Public IP addresses
Connectors
Covered asset types
Expected check: eq []
{
staticIps {
...AssetFragment
}
}
