Pattern: SSH access should not be accessible from the Internet, should be blocked on port 22
Issue: -
SSH access can be configured on either the network security group or in the network security group rule.
SSH access should not be permitted from the internet (*, 0.0.0.0, /0, internet, any)
Resolution: Block port 22 access from the internet.
Example of incorrect code:
resource "azurerm_network_security_rule" "bad_example" {
name = "bad_example_security_rule"
direction = "Inbound"
access = "Allow"
protocol = "TCP"
source_port_range = "*"
destination_port_range = ["22"]
source_address_prefix = "*"
destination_address_prefix = "*"
}
resource "azurerm_network_security_group" "example" {
name = "tf-appsecuritygroup"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
security_rule {
source_port_range = "any"
destination_port_range = ["22"]
source_address_prefix = "*"
destination_address_prefix = "*"
}
}Example of correct code:
resource "azurerm_network_security_rule" "good_example" {
name = "good_example_security_rule"
direction = "Inbound"
access = "Allow"
protocol = "TCP"
source_port_range = "*"
destination_port_range = ["22"]
source_address_prefix = "82.102.23.23"
destination_address_prefix = "*"
}
resource "azurerm_network_security_group" "example" {
name = "tf-appsecuritygroup"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
security_rule {
source_port_range = "any"
destination_port_range = ["22"]
source_address_prefix = "82.102.23.23"
destination_address_prefix = "*"
}
}