Enable Just-In-Time Access for Virtual Machines

More Info:

Ensure that your Microsoft Azure virtual machine scale sets are configured to receive instance termination notifications through the Azure Metadata service and have a predefined delay timeout configured for the “Terminate” operation (event). The termination notifications are delivered through Scheduled Events, an Azure Metadata feature which sends termination notifications, and can also be used to delay impactful operations such as reboots and redeployments. The delay associated with the “Terminate” event will depend on the delay limit specified in the VM scale set model configuration.

Risk Level

High

Address

Security

Compliance Standards

CBP

Triage and Remediation

Remediation

To remediate the misconfiguration of not having Just-In-Time (JIT) access enabled for virtual machines in Azure, you can follow the below steps using Azure Portal:

Log in to the Azure Portal (https://portal.azure.com/).
Navigate to the virtual machine for which you want to enable JIT access.
From the left-hand side menu, select “Security + networking”.
Under the “Security” section, select “Just-in-time VM access”.
On the Just-in-time VM access page, click on “Enable JIT on VM”.
In the “Basic settings” section, select the “On” radio button to enable JIT access.
In the “Advanced settings” section, configure the following settings:
- Maximum JIT access time: Set the maximum time for which the JIT access request will be valid.
- Ports: Select the ports that you want to open for JIT access.
- IP address: Select the IP address range from which you want to allow JIT access.
Click on the “Review + create” button to review the JIT access settings.
Once you have reviewed the settings, click on the “Create” button to enable JIT access for the virtual machine.

Once JIT access is enabled, users can request access to the virtual machine by clicking on the “Request access” button on the Just-in-time VM access page. The request will be reviewed and approved by an authorized user before access is granted.

To enable Just-In-Time (JIT) Access for Virtual Machines in Azure using Azure CLI, follow these steps:

Open the Azure CLI in your preferred terminal or command prompt.
Run the following command to enable JIT access for the virtual machine:

az vm update --resource-group <resource-group-name> --name <vm-name> --set "Microsoft.Compute/virtualMachines/extensions=JitAccess"

Note: Replace <resource-group-name> with the name of your resource group and <vm-name> with the name of your virtual machine.

After running the command, you will receive a JSON output containing the updated information about your virtual machine.
Verify that JIT access has been enabled for the virtual machine by going to the Azure portal and checking the virtual machine’s “Security” settings. You should see “JIT VM access” enabled for the virtual machine.

That’s it! JIT access has now been enabled for your virtual machine in Azure using Azure CLI.

To remediate the misconfiguration “Enable Just-In-Time Access for Virtual Machines” in AZURE using Python, you can follow the below steps:

Import the required libraries:

from azure.mgmt.network import NetworkManagementClient
from azure.mgmt.resource import ResourceManagementClient
from azure.identity import AzureCliCredential

Authenticate and create the client object:

credential = AzureCliCredential()
subscription_id = '<subscription_id>'
resource_client = ResourceManagementClient(credential, subscription_id)
network_client = NetworkManagementClient(credential, subscription_id)

Get the resource group and virtual machine name:

resource_group_name = '<resource_group_name>'
vm_name = '<vm_name>'

Get the virtual machine object:

vm = compute_client.virtual_machines.get(resource_group_name, vm_name)

Create the JIT access policy object:

from azure.mgmt.network.models import (SecurityRuleAccess, SecurityRuleDirection, SecurityRuleProtocol, SecurityRule)
from datetime import datetime, timedelta

start_time = datetime.utcnow()
end_time = start_time + timedelta(minutes=30)

jit_access_policy = SecurityRule(
    access=SecurityRuleAccess.allow,
    description='JIT Access Policy',
    destination_address_prefix='*',
    destination_port_range='22',
    direction=SecurityRuleDirection.inbound,
    name='JIT Access Policy',
    priority=500,
    protocol=SecurityRuleProtocol.tcp,
    source_address_prefix='*',
    source_port_range='*',
    provisioning_state='Succeeded',
    start_time=start_time,
    end_time=end_time
)

Add the JIT access policy to the virtual machine network security group:

nsg_name = vm.network_profile.network_interfaces[0].network_security_group.id.split('/')[-1]

nsg = network_client.network_security_groups.get(resource_group_name, nsg_name)
nsg.security_rules.append(jit_access_policy)

network_client.security_rules.create_or_update(resource_group_name, nsg_name, jit_access_policy.name, jit_access_policy)

Save the changes:

nsg = network_client.network_security_groups.create_or_update(resource_group_name, nsg_name, nsg)

This will enable JIT access for the virtual machine in Azure.

Azure Introduction

Azure Pricing

Azure Threats

Azure Misconfigurations

Enable Just-In-Time Access for Virtual Machines

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Azure Introduction

Azure Pricing

Azure Threats

Azure Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

Remediation

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation