Event Information

  1. The Microsoft.Compute.images.delete event in Azure for AzureVirtualMachines refers to the deletion of a custom image that was previously created in Azure.
  2. This event indicates that a custom image, which is a snapshot of a virtual machine’s disk, has been deleted from the Azure environment.
  3. Deleting a custom image can be useful when it is no longer needed or when it needs to be replaced with an updated version. It helps to manage and optimize the storage space in Azure by removing unnecessary custom images.

Examples

  1. Unauthorized deletion of images: If security is impacted with Microsoft.Compute.images.delete in Azure for AzureVirtualMachines, it could potentially lead to unauthorized deletion of images. This means that an attacker with sufficient privileges could delete critical images used for virtual machine deployments, resulting in service disruption or loss of important data.
  2. Image tampering: Another security impact could be image tampering. If an unauthorized user gains access to the Microsoft.Compute.images.delete operation, they could potentially modify or tamper with the images used for virtual machine deployments. This could result in compromised instances being launched, leading to potential data breaches or unauthorized access to sensitive information.
  3. Denial of Service (DoS) attacks: The security impact of Microsoft.Compute.images.delete in Azure for AzureVirtualMachines could also include the potential for Denial of Service (DoS) attacks. An attacker with sufficient privileges could delete critical images used for virtual machine deployments, rendering the affected instances unusable and causing service disruption for legitimate users.
It is important to implement proper access controls, monitoring, and auditing mechanisms to mitigate these security risks and ensure that only authorized personnel have the necessary permissions to perform image deletion operations. Regular backups and versioning of images can also help mitigate the impact of accidental or malicious image deletions.

Remediation

Using Console

To remediate the issues for Azure Virtual Machines using the Azure console, you can follow these step-by-step instructions:
  1. Enable Azure Security Center:
    • Go to the Azure portal and search for “Security Center” in the search bar.
    • Select “Security Center” from the results and click on it.
    • In the Security Center dashboard, click on “Pricing & settings” in the left-hand menu.
    • Choose the subscription and resource group where your Azure Virtual Machines are located.
    • Click on “Apply to all resources” to enable Security Center for all resources in the selected subscription and resource group.
    • Review the pricing tier options and select the appropriate tier for your needs.
    • Click on “Save” to enable Security Center.
  2. Implement Network Security Groups (NSGs):
    • Go to the Azure portal and search for “Virtual Machines” in the search bar.
    • Select “Virtual Machines” from the results and click on it.
    • Choose the virtual machine that you want to secure with NSGs.
    • In the virtual machine’s overview page, click on “Networking” in the left-hand menu.
    • Under “Inbound port rules”, click on “Add inbound port rule” to define the allowed inbound traffic.
    • Specify the necessary details such as source IP address, destination port range, and protocol.
    • Repeat the above step to add additional inbound port rules as needed.
    • Click on “Save” to apply the NSG rules to the virtual machine.
  3. Implement Azure Backup:
    • Go to the Azure portal and search for “Recovery Services vaults” in the search bar.
    • Select “Recovery Services vaults” from the results and click on it.
    • Click on “Add” to create a new Recovery Services vault.
    • Specify the necessary details such as subscription, resource group, and vault name.
    • Choose the appropriate storage replication option and click on “Review + create”.
    • Review the settings and click on “Create” to create the Recovery Services vault.
    • Once the vault is created, go to the virtual machine’s overview page.
    • Click on “Backup” in the left-hand menu and then click on “Backup now” to initiate an immediate backup.
    • Follow the prompts to configure the backup settings and schedule.
    • Click on “Enable backup” to start backing up the virtual machine.
Note: The above instructions provide a general overview of the steps involved in remediating the mentioned issues. It is recommended to refer to the official Azure documentation for detailed instructions and best practices specific to your environment.

Using CLI

None

Using Python

To remediate the issues for Azure Virtual Machines using Python, you can use the Azure SDK for Python. Here are three examples of how you can remediate specific issues:
  1. Example: Enabling Azure Security Center recommendations for Virtual Machines:
from azure.mgmt.security import SecurityCenter
from azure.identity import DefaultAzureCredential

# Authenticate using DefaultAzureCredential
credential = DefaultAzureCredential()

# Create a Security Center client
security_center_client = SecurityCenter.SecurityCenterClient(credential)

# Enable Security Center recommendations for Virtual Machines
security_center_client.security_solutions.update_with_http_info(
    resource_group_name='<resource_group_name>',
    solution_name='AzureSecurityCenter',
    properties={
        'recommendations': {
            'virtualMachines': 'On'
        }
    }
)
  1. Example: Applying Network Security Group (NSG) rules to restrict inbound traffic:
from azure.mgmt.network import NetworkManagementClient
from azure.identity import DefaultAzureCredential

# Authenticate using DefaultAzureCredential
credential = DefaultAzureCredential()

# Create a Network Management client
network_client = NetworkManagementClient(credential)

# Define the NSG rule parameters
nsg_rule_parameters = {
    'protocol': 'Tcp',
    'source_port_range': '*',
    'destination_port_range': '22',
    'source_address_prefix': '*',
    'destination_address_prefix': '*',
    'access': 'Deny',
    'priority': 100,
    'direction': 'Inbound'
}

# Create the NSG rule
network_client.security_rules.create_or_update(
    resource_group_name='<resource_group_name>',
    network_security_group_name='<nsg_name>',
    security_rule_name='<rule_name>',
    security_rule_parameters=nsg_rule_parameters
)
  1. Example: Configuring Azure Monitor alerts for Virtual Machines:
from azure.mgmt.monitor import MonitorManagementClient
from azure.identity import DefaultAzureCredential

# Authenticate using DefaultAzureCredential
credential = DefaultAzureCredential()

# Create a Monitor Management client
monitor_client = MonitorManagementClient(credential)

# Define the alert rule parameters
alert_rule_parameters = {
    'location': '<location>',
    'enabled': True,
    'condition': {
        'odata.type': 'Microsoft.Azure.Management.Monitor.Models.ThresholdRuleCondition',
        'dataSource': {
            'odata.type': 'Microsoft.Azure.Management.Monitor.Models.RuleMetricDataSource',
            'resourceUri': '<virtual_machine_resource_uri>',
            'metricName': '<metric_name>'
        },
        'operator': 'GreaterThan',
        'threshold': '<threshold_value>',
        'windowSize': 'PT5M'
    },
    'actions': [
        {
            'odata.type': 'Microsoft.Azure.Management.Monitor.Models.RuleEmailAction',
            'sendToServiceOwners': True
        }
    ]
}

# Create the alert rule
monitor_client.alert_rules.create_or_update(
    resource_group_name='<resource_group_name>',
    rule_name='<rule_name>',
    parameters=alert_rule_parameters
)
Please note that you need to replace the placeholders (<resource_group_name>, <nsg_name>, <rule_name>, <location>, <virtual_machine_resource_uri>, <metric_name>, <threshold_value>) with the actual values specific to your Azure environment.