Ensure Secrets are not exposed in customData used in Azure Virtual Machine

MEDIUM

Description

Secrets are exposed in Azure Virtual Machine customData, this may lead to unauthorized access, privilege escalation and other issues.

Remediation

Once a Virtual Machine is created in the console, custom data cannot be changed. You could choose to create a new virtual machine instance, or use a virtual machine scale set which does have the ability to change update custom data.

In Terraform -
Deprecated in favor of azurerm_linux_virtual_machine and azurerm_windows_virtual_machine:

In the azurerm_virtual_machine resource, remove custom_data.

References:
https://learn.microsoft.com/en-us/azure/virtual-machines/custom-data
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_machine#custom_data

Policy Details

Rule Reference ID: AC_AZURE_0265

CSP: Azure

Remediation Available: No

Domain: Infrastructure Security

Resource: azurerm_virtual_machine

Resource Category: Compute

Resource Type: Virtual Machine

Frameworks

GDPR
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF

Detections

Analytics