Hi!

In this article, I will show you how a malicious actor can leverage the Azure Managed Disk Import / Export feature to exfiltrate data outside of your organization. By default, in Azure all the Azure Disks are configured with a public endpoint enabled.

You can generate a time bound Shared Access Signature (SAS) URI for unattached managed disks and snapshots for exporting the data to other region for regional expansion, disaster recovery and to read the data for forensic analysis. When the URI is generated, you need to define an expiration time (maximum expiration time 4294967295 seconds). After that, everyone who knows the SAS URI can download the disk without any IP filtering before the expiration time.

To prevent this security issue, I will recommend you to:

• Enable a Private endpoint (through disk access), or
• Configure the connection method with : Deny all

If you want to know which managed disk are configured with the connectivity method « Public endpoint », you can use an Azure Policy in audit mode:

{
      "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/disks"
          },
          {
              "field": "Microsoft.Compute/disks/networkAccessPolicy",
              "equals": "AllowAll"
          }
        ]
      },
      "then": {
        "effect": "audit"
      }
    }
}

And if you want to prevent this usage, you can switch the mode of this policy to « Deny ».

Maxime.