I wish to detect when there is any change in the security rules of the nsg(network security group) in my subscription using azure policy.
However, I cannot find any property/alias in the resource against which I can monitor to detect change. Here are the properties as shown by azure policy extension on vs code
{
"id": "/subscriptions/xxxx/xxxx/providers/Microsoft.Network/networkSecurityGroups/xxx",
"name": "xxxx",
"type": "Microsoft.Network/networkSecurityGroups",
"location": "eastus",
"tags": {
"Company": "xxx"
},
"properties": {
"provisioningState": "Succeeded",
"resourceGuid": "xxxx",
"securityRules": [],
"defaultSecurityRules": [
{
"name": "AllowVnetInBound",
"id": "/subscriptions/xxxxx/resourceGroups/xxxx/providers/Microsoft.Network/networkSecurityGroups/xxxx/defaultSecurityRules/AllowVnetInBound",
"etag": "xxxx,
"type": "Microsoft.Network/networkSecurityGroups/defaultSecurityRules",
"properties": {
"provisioningState": "Succeeded",
"description": "Allow inbound traffic from all VMs in VNET",
"protocol": "*",
"sourcePortRange": "*",
"destinationPortRange": "*",
"sourceAddressPrefix": "VirtualNetwork",
"destinationAddressPrefix": "VirtualNetwork",
"access": "Allow",
"priority": 65000,
"direction": "Inbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
{
"name": "AllowAzureLoadBalancerInBound",
"id": "/subscriptions/xxxx/resourceGroups/xxxx/providers/Microsoft.Network/networkSecurityGroups/nxxxx/defaultSecurityRules/AllowAzureLoadBalancerInBound",
"etag": "W/\"9613f8c0-57ab-40fd-83e0-8da551bd3d96\"",
"type": "Microsoft.Network/networkSecurityGroups/defaultSecurityRules",
"properties": {
"provisioningState": "Succeeded",
"description": "Allow inbound traffic from azure load balancer",
"protocol": "*",
"sourcePortRange": "*",
"destinationPortRange": "*",
"sourceAddressPrefix": "AzureLoadBalancer",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 65001,
"direction": "Inbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
{
"name": "DenyAllInBound",
"id": "/subscriptions/xxxx/resourceGroups/xxxx/providers/Microsoft.Network/networkSecurityGroups/xxxx/defaultSecurityRules/DenyAllInBound",
"etag": "xxx",
"type": "Microsoft.Network/networkSecurityGroups/defaultSecurityRules",
"properties": {
"provisioningState": "Succeeded",
"description": "Deny all inbound traffic",
"protocol": "*",
"sourcePortRange": "*",
"destinationPortRange": "*",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Deny",
"priority": 65500,
"direction": "Inbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
{
"name": "AllowVnetOutBound",
"id": "/xxxx/resourceGroups/xxxx/providers/Microsoft.Network/networkSecurityGroups/xxxx/defaultSecurityRules/AllowVnetOutBound",
"etag": "xxx",
"type": "Microsoft.Network/networkSecurityGroups/defaultSecurityRules",
"properties": {
"provisioningState": "Succeeded",
"description": "Allow outbound traffic from all VMs to all VMs in VNET",
"protocol": "*",
"sourcePortRange": "*",
"destinationPortRange": "*",
"sourceAddressPrefix": "VirtualNetwork",
"destinationAddressPrefix": "VirtualNetwork",
"access": "Allow",
"priority": 65000,
"direction": "Outbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
{
"name": "AllowInternetOutBound",
"id": "/subscriptions/xxxx/resourceGroups/xxx/providers/Microsoft.Network/networkSecurityGroups/xxx/defaultSecurityRules/AllowInternetOutBound",
"etag": "W/\"9613f8c0-57ab-40fd-83e0-8da551bd3d96\"",
"type": "Microsoft.Network/networkSecurityGroups/defaultSecurityRules",
"properties": {
"provisioningState": "Succeeded",
"description": "Allow outbound traffic from all VMs to Internet",
"protocol": "*",
"sourcePortRange": "*",
"destinationPortRange": "*",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "Internet",
"access": "Allow",
"priority": 65001,
"direction": "Outbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
{
"name": "DenyAllOutBound",
"id": "/subscriptions/xxxx/resourceGroups/xxxx/providers/Microsoft.Network/networkSecurityGroups/xxxx/defaultSecurityRules/DenyAllOutBound",
"etag": "W/\"9613f8c0-57ab-40fd-83e0-8da551bd3d96\"",
"type": "Microsoft.Network/networkSecurityGroups/defaultSecurityRules",
"properties": {
"provisioningState": "Succeeded",
"description": "Deny all outbound traffic",
"protocol": "*",
"sourcePortRange": "*",
"destinationPortRange": "*",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Deny",
"priority": 65500,
"direction": "Outbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
}
]
}
}
I tried to make a policy against the activity log events to detect change. However it turns out you cannot make a policy against an event log directly. Is there any other way for me detect if a security rule has been changed?
No. You cannot make a policy to monitor events. Policies are meant to audit against resource state. So you could designate a certain property and audit the state of that property given the correct alias to monitor. Policy will automatically evaluate that resource state against your policy rule on change. However the change event itself cannot be monitored through Policy.