What is CIS Azure 2.1?

CIS Azure 2.1 (Ensure NSGs restrict SSH access from the internet) requires: Network Security Groups should not allow SSH (port 22) from any source (0.0.0.0/0). This is a critical-severity control.

How does EchelonGraph detect CIS Azure 2.1 violations?

EchelonGraph automatically detects CIS Azure 2.1 violations using scanner rule AZ-NSG-001. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

What audit questions are asked for CIS Azure 2.1?

List all NSGs with SSH rules allowing 0.0.0.0/0. Is Azure Bastion deployed for administrative access? How are NSG changes monitored?

🔵CIS Azure 2.1Rule: AZ-NSG-001critical

Ensure NSGs restrict SSH access from the internet

Description

Network Security Groups should not allow SSH (port 22) from any source (0.0.0.0/0).

⚠️ Risk Impact

Open SSH enables brute-force attacks and exploitation of SSH vulnerabilities from the internet.

🔍 How EchelonGraph Detects This

AZ-NSG-001Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected Azure accounts. Violations are flagged as critical-severity findings with remediation guidance.

🔧 Remediation

Update NSG rules to restrict SSH to specific IP ranges or use Azure Bastion.

💀 Real-World Attack Scenario

An Azure VM with SSH open to the internet was brute-forced within 3 hours of deployment. The attacker installed a cryptominer and used the compromised VM as a launch point for password spray attacks against Azure AD, successfully compromising 12 additional accounts through the VNet.

💰 Cost of Non-Compliance

Azure VMs with public SSH receive 1,000+ brute-force attempts per day. Average compromise cost: $2.8M. Azure Bastion costs $0.19/hour vs millions in breach costs.

📋 Audit Questions

1.List all NSGs with SSH rules allowing 0.0.0.0/0.
2.Is Azure Bastion deployed for administrative access?
3.How are NSG changes monitored?

🎯 MITRE ATT&CK Mapping

T1110 — Brute ForceT1021.004 — SSH

⚡ Common Pitfalls

⛔Using NSG rules at subnet level but not VM NIC level
⛔Allowing SSH from 'Internet' service tag
⛔Not using Azure Bastion's JIT access feature

📈 Business Value

Azure Bastion eliminates the need for public IP addresses on VMs entirely. It provides centralized, audited, and MFA-protected access without any exposed management ports.

⏱️ Effort Estimate

Manual

2-4 hours to audit NSGs and deploy Azure Bastion

With EchelonGraph

EchelonGraph detects open SSH NSG rules across all subscriptions

🔗 Cross-Framework References

SOC2-CC6.6ISO27001-A.13.1.3

Automate CIS Azure 2.1 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →