azure-vm-tags-schema-noncompliant: Azure VM Tags Schema Non-compliant

日期: 2025-08-01 | 影响软件: Azure VM Tags | POC: 已公开

漏洞描述

Ensure that user-defined tags are being used for labeling, collecting, and organizing cloud resources within your Microsoft Azure account. User-defined tags are name/value pairs that enable you to categorize resources and view consolidated billing by applying the same tag to multiple cloud resources. Trend Micro Cloud One™ – Conformity recommends the following tagging schema to help you identify and manage your Azure resources: Name, Role, Environment, and Owner.

PoC代码[已公开]

id: azure-vm-tags-schema-noncompliant
info:
  name: Azure VM Tags Schema Non-compliant
  author: princechaddha
  severity: low
  description: |
    Ensure that user-defined tags are being used for labeling, collecting, and organizing cloud resources within your Microsoft Azure account. User-defined tags are name/value pairs that enable you to categorize resources and view consolidated billing by applying the same tag to multiple cloud resources. Trend Micro Cloud One™ – Conformity recommends the following tagging schema to help you identify and manage your Azure resources: Name, Role, Environment, and Owner.
  impact: |
    Not using the recommended tagging schema can lead to difficulties in managing and organizing cloud resources effectively, potentially leading to operational inefficiencies and increased costs.
  remediation: |
    Update the tagging schema of your Azure virtual machines to include the recommended tags: Name, Role, Environment, and Owner to ensure effective resource management and billing.
  reference:
    - https://docs.microsoft.com/en-us/azure/virtual-machines/tagging
  tags: cloud,devops,azure,microsoft,azure-vm,azure-cloud-config

flow: |
  code(1);
  for (let VMData of iterate(template.vmList)) {
    VMData = JSON.parse(VMData);
    set("resourceId", VMData.id);
    code(2);
  }

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      az vm list --query '[*].{"id":id}'

    extractors:
      - type: json
        name: vmList
        internal: true
        json:
          - '.[]'

  - engine:
      - sh
      - bash
    source: |
      az tag list --resource-id "$resourceId" --output json --query 'properties.tags'

    matchers-condition: and
    matchers:
      - type: word
        words:
          - ''

      - type: word
        words:
          - "Name"
        negative: true

    extractors:
      - type: dsl
        dsl:
          - 'resourceId + " does not use the recommended tagging schema"'
# digest: 4b0a0048304602210094f218b17723a92855744f1f39f2a274210cd20d8a689b073196fc77d3095074022100f86132973c7efe501ae65424b2aa6828892bcaeef18072dd57efe1f448774adb:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/./cloud/azure/tags/azure-vm-tags-schema-noncompliant.yaml