Detections
Analytics

7.11 Ensure subnets are associated with network security groups

Information

Protect subnet resources by ensuring subnets are associated with network security groups, which can filter inbound and outbound traffic using security rules.

Unprotected subnets can expose resources to unauthorized access.

Solution

Remediate from Azure Portal

 - Go to Virtual networks.
 - Click the name of a virtual network.
 - Under Settings, click Subnets.
 - Click the name of a subnet.
 - Under Security, next to Network security group, click None to display the drop-down menu.
 - Select a network security group.
 - Click Save.
 - Repeat steps 1-7 for each virtual network and subnet requiring remediation.

Remediate from Azure CLI

For each subnet requiring remediation, run the following command to associate it with a network security group:

az network vnet subnet update --resource-group <resource-group> --vnet-name <virtual-network> --name <subnet> --network-security-group <network-security-group>

Impact:

Minor administrative effort is required to ensure subnets are associated with network security groups. There is no cost to create or use network security groups.

See Also

https://workbench.cisecurity.org/benchmarks/21611

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CA-9, 800-53|SC-7, CSCv7|9.4

Plugin: microsoft_azure

Control ID: cbe1a0411a62526c83cc6ae708bf8b1aefc7bce36726076178848cd15179fc12