Event Information

  • The Microsoft.Compute.sshPublicKeys.read event in Azure for AzureVirtualMachines refers to the action of reading the SSH public keys associated with a virtual machine in Azure.
  • This event is triggered when someone or a process retrieves the SSH public keys for a specific virtual machine.
  • It is important to monitor this event as it can help track who is accessing the SSH public keys and when, providing visibility into potential security risks or unauthorized access attempts.

Examples

  1. Unauthorized access: If security is impacted with Microsoft.Compute.sshPublicKeys.read in Azure for AzureVirtualMachines, it could potentially allow unauthorized individuals to read the SSH public keys associated with virtual machines. This could lead to unauthorized access to the virtual machines, compromising the confidentiality and integrity of the data stored on them.

  2. Privilege escalation: If security is impacted with Microsoft.Compute.sshPublicKeys.read in Azure for AzureVirtualMachines, an attacker with access to the SSH public keys could potentially use this information to escalate their privileges within the virtual machines. They could modify the keys or gain unauthorized administrative access, allowing them to perform malicious activities or further compromise the environment.

  3. Key exposure: If security is impacted with Microsoft.Compute.sshPublicKeys.read in Azure for AzureVirtualMachines, it could result in the exposure of SSH public keys, which are used for authentication. This could potentially allow an attacker to intercept the keys and use them to impersonate legitimate users or gain unauthorized access to other systems or resources within the environment. It could also lead to the compromise of sensitive information if the keys are used for encryption or decryption purposes.

Remediation

Using Console

To remediate the issues for Azure Virtual Machines using the Azure console, you can follow these step-by-step instructions:

  1. Enable Azure Security Center:

    • Go to the Azure portal and search for “Security Center” in the search bar.
    • Select “Security Center” from the results and click on it.
    • In the Security Center dashboard, click on “Pricing & settings” in the left-hand menu.
    • Choose the subscription and resource group where your Azure Virtual Machines are located.
    • Click on “Apply to all resources” to enable Security Center for all resources in the selected subscription and resource group.
    • Review the pricing tier options and select the appropriate tier for your needs.
    • Click on “Save” to enable Security Center.

  2. Implement Network Security Groups (NSGs):

    • Go to the Azure portal and search for “Virtual Machines” in the search bar.
    • Select “Virtual Machines” from the results and click on it.
    • Choose the virtual machine that you want to secure with NSGs.
    • In the virtual machine’s overview page, click on “Networking” in the left-hand menu.
    • Under “Inbound port rules” and “Outbound port rules”, click on “Add inbound port rule” and “Add outbound port rule” respectively.
    • Configure the necessary rules to allow only the required inbound and outbound traffic.
    • Click on “Save” to apply the NSG rules to the virtual machine.

  3. Implement Azure Backup:

    • Go to the Azure portal and search for “Recovery Services vaults” in the search bar.
    • Select “Recovery Services vaults” from the results and click on it.
    • Click on “Add” to create a new Recovery Services vault.
    • Provide the necessary details like subscription, resource group, and vault name.
    • Choose the appropriate region for the vault.
    • Click on “Review + create” and then “Create” to create the vault.
    • Once the vault is created, go to the virtual machine that you want to backup.
    • In the virtual machine’s overview page, click on “Backup” in the left-hand menu.
    • Click on “Backup now” to initiate an immediate backup of the virtual machine.
    • Configure the backup settings as per your requirements.
    • Click on “OK” to start the backup process.

These steps will help you remediate the issues for Azure Virtual Machines using the Azure console.

Using CLI

To remediate the issues for Azure Virtual Machines using Azure CLI, you can follow these steps:

  1. Enable Azure Security Center for Azure Virtual Machines:

    • Use the Azure CLI command az vm update --name <vm_name> --resource-group <resource_group_name> --set "properties.securityProfile.securityCenterEnabled=true" to enable Azure Security Center for a specific virtual machine.

  2. Configure Network Security Groups (NSGs) for Azure Virtual Machines:

    • Use the Azure CLI command az network nsg rule create --name <rule_name> --nsg-name <nsg_name> --resource-group <resource_group_name> --priority <priority_number> --source-address-prefixes <source_address_prefix> --destination-port-ranges <destination_port_range> --access <access_type> --protocol <protocol> to create a new NSG rule for a specific NSG and virtual machine.

  3. Implement Azure Backup for Azure Virtual Machines:

    • Use the Azure CLI command az backup protection enable-for-vm --vm <vm_name> --resource-group <resource_group_name> --policy-name <policy_name> to enable Azure Backup protection for a specific virtual machine. Replace <policy_name> with the name of the backup policy you want to apply.

Please note that the actual values for <vm_name>, <resource_group_name>, <rule_name>, <nsg_name>, <priority_number>, <source_address_prefix>, <destination_port_range>, <access_type>, and <protocol> should be replaced with the appropriate values specific to your environment.

Using Python

To remediate the issues for Azure Virtual Machines using Python, you can use the Azure SDK for Python. Here are three examples of how you can remediate specific issues:

  1. Example 1: Enabling Azure Disk Encryption for Virtual Machines
    • Install the required package: pip install azure-mgmt-compute
    • Use the following Python script to enable Azure Disk Encryption for a specific virtual machine:
from azure.identity import DefaultAzureCredential
from azure.mgmt.compute import ComputeManagementClient

# Authenticate using default credentials
credential = DefaultAzureCredential()

# Provide your Azure subscription ID and resource group name
subscription_id = 'your_subscription_id'
resource_group_name = 'your_resource_group_name'
vm_name = 'your_vm_name'

# Create the ComputeManagementClient
compute_client = ComputeManagementClient(credential, subscription_id)

# Enable Azure Disk Encryption for the virtual machine
compute_client.virtual_machines.begin_enable_disk_encryption(resource_group_name, vm_name)
  1. Example 2: Applying Network Security Group (NSG) rules to Virtual Machines
    • Install the required package: pip install azure-mgmt-network
    • Use the following Python script to apply NSG rules to a specific virtual machine:
from azure.identity import DefaultAzureCredential
from azure.mgmt.network import NetworkManagementClient

# Authenticate using default credentials
credential = DefaultAzureCredential()

# Provide your Azure subscription ID and resource group name
subscription_id = 'your_subscription_id'
resource_group_name = 'your_resource_group_name'
vm_name = 'your_vm_name'
nsg_name = 'your_nsg_name'

# Create the NetworkManagementClient
network_client = NetworkManagementClient(credential, subscription_id)

# Get the virtual machine's network interface
network_interface = network_client.network_interfaces.get(resource_group_name, vm_name)

# Get the NSG associated with the network interface
nsg = network_client.network_security_groups.get(resource_group_name, nsg_name)

# Apply NSG rules to the network interface
network_interface.network_security_group = nsg
network_client.network_interfaces.begin_create_or_update(resource_group_name, vm_name, network_interface)
  1. Example 3: Configuring Azure Backup for Virtual Machines
    • Install the required package: pip install azure-mgmt-recoveryservices
    • Use the following Python script to configure Azure Backup for a specific virtual machine:
from azure.identity import DefaultAzureCredential
from azure.mgmt.recoveryservices import RecoveryServicesClient

# Authenticate using default credentials
credential = DefaultAzureCredential()

# Provide your Azure subscription ID and resource group name
subscription_id = 'your_subscription_id'
resource_group_name = 'your_resource_group_name'
vm_name = 'your_vm_name'
vault_name = 'your_vault_name'

# Create the RecoveryServicesClient
recovery_services_client = RecoveryServicesClient(credential, subscription_id)

# Get the virtual machine's ID
vm_id = f'/subscriptions/{subscription_id}/resourceGroups/{resource_group_name}/providers/Microsoft.Compute/virtualMachines/{vm_name}'

# Configure Azure Backup for the virtual machine
recovery_services_client.backup_protected_items.begin_create_or_update(resource_group_name, vault_name, vm_id)

Please note that you need to replace the placeholders (your_subscription_id, your_resource_group_name, your_vm_name, etc.) with the actual values specific to your Azure environment.