But the urls are not types in their own right, they are simply returned from the getShareableLinks action: az rest -url -method POST What I would really like is to be able to audit each and every url created through this method. "field": "Microsoft.Network/bastionHosts/enableShareableLink",Īnd for the audit? Well, you can easily change the effect above to “audit”, however, that will only allow you to audit the enablement of the feature on the bastion host level. "equals": "Microsoft.Network/bastionHosts" The following Azure Policy denies the use of the feature completely on the Azure Bastion Host side, now allowing the enablement of the feature: They will still require a username and password to sign into the server, of course.Īs you can see, a url will be generated per virtual machine. Why? Well, any user that has contributor access to an Azure bastion host, can essentially plant a permanent backdoor into your systems, by generating a shareable link. This is super neat, and also super single factor! I’m not saying don’t use this, as this absolutely has its use cases, but it can be wise to at least do one of the following: Deny use or Audit use. The user will be sent directly to a view like below, typing a username and password, and they are in. The new sharable links feature, however, eliminates this by allowing you to create – well – a link that you can share that directly allows a user to connect to a VM using Azure Bastion. While these permissions are not “scare”, it leaves you with permissions to handle somehow. At minimum you’ll need “reader” on the bastion host itself, on the virtual network connected to the VM and the VM itself. Without this feature, in order to grant a user access to use Azure Bastion to connect to a virtual machine, you will need to delegate reader access in Azure. Azure Bastion just got a new feature in preview called “Shareable Links”.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |