Detections
Analytics

Ensure automatic OS upgrades are enabled for windows config block in Azure Virtual Machine Scale Set

MEDIUM

Description

Automatic OS upgrades for windows are not enabled in Azure Virtual Machine Scale Set, this may leave it vulnerable to malware and other threats.

Remediation

In Azure Console -

  1. Open the Azure Portal and go to Virtual Machine Scale Sets.
  2. Choose the Virtual Machine scale set you wish to edit.
  3. Under Settings, select Upgrade policy.
  4. Set the Upgrade mode to Automatic or Rolling.

In Terraform -
Deprecated in favor of azurerm_linux_virtual_machine_scale_set and azurerm_windows_virtual_machine_scale_set:

  1. In the azurerm_virtual_machine_scale_set resource, create an os_profile_windows_config block.
  2. Set os_profile_windows_config.automatic_os_upgrade to true.
  3. Set upgrade_policy_mode to either Automatic or Rolling.

References:
https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_machine_scale_set#automatic_os_upgrade

Policy Details

Rule Reference ID: AC_AZURE_0359
CSP: Azure
Remediation Available: Yes
Domain: Security Best Practices
Resource: azurerm_virtual_machine_scale_set
Resource Category: Compute
Resource Type: Virtual Machine

Frameworks