Detections
Analytics

Ensure custom script extensions are not used in Azure Virtual Machine

MEDIUM

Description

The Custom Script Extension in Azure allows arbitrary scripts to be run on VMs, which could be exploited by attackers to gain control of the VM and cause data loss, malware installation, or operational disruption. The Custom Script Extension does not have any built-in security features, so users are responsible for ensuring the security of the scripts they run. Therefore, it is recommended to not use custom script extensions in Azure VMs.

Remediation

In Azure Console -

  1. Go to Virtual machines'
  2. For each virtual machine, go to Settings
  3. Click on Extensions + applications
  4. Select custom script extension and uninstall it.

From Azure Command Line Interface 2.0-
use the below CLI command to identify the customscript extensions

az vm extension list --vm-name --resource-group --query [*].name\and use the below CLI command to remove identified extension attached to VM.
az vm extension delete --resource-group --vm-name --name
.

In Terraform -

  1. In the azurerm_virtual_machine_extension resource, if type is set to 'CustomScript' then remove this vm extension resource.

References:
https://learn.microsoft.com/en-us/powershell/module/az.compute/remove-azvmextension?view=azps-10.2.0
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_machine_extension.html

Policy Details

Rule Reference ID: AC_AZURE_0200
CSP: Azure
Remediation Available: No
Domain: Data Protection
Resource: azurerm_virtual_machine
Resource Category: Compute
Resource Type: Virtual Machine

Frameworks