Azure Virtual Network subnet is not configured with a Network Security Group
Description
This policy checks whether a Virtual Network (VNET) subnet in the Azure environment is configured with a Network Security Group (NSG). The NSG includes rules to allow or deny traffic to a subnet, providing security for the VNET. If a subnet is not associated with an NSG, it may be exposed to potential cybersecurity threats. Therefore, not having a NSG for a VNET subnet is considered a security risk.
Code Example
hcl
resource "azurerm_network_security_group" "example" {
name = "example-nsg"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
}
resource "azurerm_subnet_network_security_group_association" "example" {
subnet_id = azurerm_subnet.example.id
network_security_group_id = azurerm_network_security_group.example.id
}Remediation
Terraform
- Resource: azurerm_subnet, azurerm_network_security_group, azurerm_subnet_network_security_group_association
- Arguments: name, subnet_id
To fix this issue, you need to associate your Azure Virtual Network (VNet) subnet with a Network Security Group (NSG).
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0788 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV2_AZURE_31 |