Virtual Machine extensions are installed

azure_instance_extensions

Severity

low

Vendor

Azure

Resource

Description

Azure Virtual Machine extensions should not be enabled.

Azure Virtual Machine extensions are small applications that provide post-deployment configuration and automation on Azure VMs. The Azure platform hosts many extensions covering VM configuration, monitoring, security, and utility applications. Publishers take an application, wrap it into an extension, and simplify the installation.

These extensions run with administrative privileges and could potentially access any configuration file or piece of data on a virtual machine.

See Azure Virtual Machine Extensions for an overview about VMs extensions.

Examples

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Compute/virtualMachines",
      "apiVersion": "2021-11-01",
      "name": "bad", (1)
      "location": "[parameters('location')]",
      "properties": {
        "hardwareProfile": {
          "vmSize": "[parameters('vmSize')]"
        },
        "osProfile": {
          "allowExtensionOperations": true
        },
        "storageProfile": {
          "imageReference": {
            "publisher": "Canonical",
            "offer": "UbuntuServer",
            "sku": "18_04-lts-gen2",
            "version": "latest"
          },
          "osDisk": {
            "createOption": "fromImage"
          }
        }
      }
    }
  ]
}

1	Azure VM allows extensions.

Terraform

Mitigation / Fix

Buildtime

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Compute/virtualMachines",
      "apiVersion": "2021-11-01",
      "name": "good", (1)
      "location": "[parameters('location')]",
      "properties": {
        "hardwareProfile": {
          "vmSize": "[parameters('vmSize')]"
        },
        "osProfile": {
          "allowExtensionOperations": false
        },
        "storageProfile": {
          "imageReference": {
            "publisher": "Canonical",
            "offer": "UbuntuServer",
            "sku": "18_04-lts-gen2",
            "version": "latest"
          },
          "osDisk": {
            "createOption": "fromImage"
          }
        }
      }
    }
  ]
}

1	Azure VM does not allow extensions.

Terraform

Runtime

Azure Portal

To change the policy Log in to Azure Portal and then:

Navigate to Virtual Machines, and for each VM.
- Navigate to the Setting section.
- Click on Extensions.
- If there are unapproved extensions, uninstall them.

CLI Command

With the audit command identify the unapproved extensions, and use the below CLI command to remove an unapproved extension attached to VM:

$ az vm extension delete --resource-group <resource group name> --vm-name <vm name> --name <extension name>

See Remove an extension attached to a VM.