Reputation: 379
Azure policy definition to allow the access to a VM via Bastion only for users of a specific user group
I have a VM which can be accessed via bastion. I want to write a policy definition to deny the access if the user is NOT a member of a specific user group. I started with the following part, but not sure how to continue with the user and user group part in the definition.
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/bastionHosts"
},
{
"field": "name",
"in": [
"test-vm-bastion"
]
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {}
}
I need to correct/complete the definition for the given purpos mentioned up.
Upvotes: 0
Views: 564
Answers (1)
Reputation: 7843
To allow the access to a VM via Bastion only for users of a specific user group.
Azure Policy does not directly evaluate user or group membership for access control, Instead, you can use Azure RBAC to restrict to connections to VM via Bastion
Create a custom RBAC role with below permissions.
- Reader role on the
Azure virtual machine. - Reader role on the
NICof theAzure virtual machine. - Reader role on the
Azure Bastionresource. - Virtual Machine Administrator Login or Virtual Machine User Login role, if you’re using the
Azure AD sign-inmethod.
Go to Resource Group Where your VM resides > Access control (IAM) > Add > Create a custom role
You can use the following JSON code to create a custom role that allows connection to a VM via Bastion. Simply add the code in the JSON section when creating a custom role.
{
"properties": {
"roleName": "Bastion Connect role",
"description": "This role will only be able to connect to the VM if Microsoft Enterprise Login is enabled on the Azure VM.",
"assignableScopes": [
"/subscriptions/b83c1ed3-c5b6-44fb-b5ba-2b83a074c23f/resourceGroups/v-venkal-Mindtree"
],
"permissions": [
{
"actions": [
"*/read",
"Microsoft.HybridConnectivity/endpoints/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.Compute/virtualMachines/login/action",
"Microsoft.Compute/virtualMachines/loginAsAdmin/action",
"Microsoft.HybridCompute/machines/login/action",
"Microsoft.HybridCompute/machines/loginAsAdmin/action"
],
"notDataActions": []
}
]
}
}
Once you create a Custom Role, you can assign it to an Azure AD Group at the VM level by navigating to below steps.
Go to your Azure VM > Access control (IAM) > Add > Access control (IAM) > Add role assignment
After assigning the custom role to an Azure AD group, only the members of that group will be able to access the VM through Bastion.
Reference: Connect to a VM using Bastion
Required roles to connect to the VM
Upvotes: 0
Related Questions
- Deactivate azure security policy for a specific resource
- Restrict azure role assignment only to group by azure policy
- azure policy : only allow certain tag values in azure resources group tag
- Azure policy to deny assigning any of the existing custom roles to users
- Request Disallowed By Policy
- Azure Policy to deny role assignments for specific role definition ids (Roles)
- Azure IAM - is it possible to audit group memberships using Azure Policy?
- azure policy to only allow specific tags to be created
- Azure Policy not denying Custom Role creation
- Azure Policy DeployIfNotExists : Retention days must be greater than X days for SQL server