메뉴
Ensure Azure Cache for Redis is Using a Private Link
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
| name | cis-azure-database-2.7 |
| description | Ensure Azure Cache for Redis is Using a Private Link |
| category | cis-azure-database |
| version | 2.0.0 |
| author | cyberstrike-official |
| tags | ["cis","azure","redis","cache"] |
| cis_id | 2.7 |
| cis_benchmark | CIS Microsoft Azure Database Services Benchmark v2.0.0 |
| tech_stack | ["azure"] |
| cwe_ids | [] |
| chains_with | [] |
| prerequisites | [] |
| severity_boost | {} |
Private links make resources available via a private endpoint to a network you select. Tunneling between subscriptions, resource groups, without the need for traditional network routing.
Networking communication should be segmented to prevent undesired interception.
If improperly configured network communication between your Azure Cache for Redis and other resources may be interrupted. This is only concerning resources or services being offered to other Azure tenants.
Azure Cache for Redis.Administration menu in the left column.Get-AzPrivateEndpoint -ResourceGroupName <ResourceGroupName> |
Where-Object{
$_.PrivateLinkServiceConnections.PrivateLinkServiceId -eq
<AzureCacheforRedisName>
}
960e650e-9ce3-4316-9590-8ee2c016ca2f - Name: 'Azure Cache for Redis should use private link'At least one private endpoint should be associated with the Azure Cache for Redis instance.
Azure Cache for Redis.Private Endpoints.+ Private Endpoint.Next : Resource >.Connect to an Azure resource in my directory.redisEnterprise.+ Create to create a new one, the select Next.$resourceGroup = "<resourcegroup>"
$virtualNetName = "<virtualnetworkname>"
$subnetName = "<subnetName>"
$redisName = "<rediscachename>"
$privateEndpointName = "<privateendpointname>"
$dnsZoneName = "<dnsfqdn>"
$dnsLinkName = "<redisdnsname>"
# Get existing resources
$vnet = Get-AzVirtualNetwork -Name $virtualNetName -ResourceGroupName $resourceGroup
$subnet = Get-AzVirtualNetworkSubnetConfig -VirtualNetwork $virtualNetName -Name $subnetName
$redis = Get-AzRedisCache -Name $redisName -ResourceGroupName $resourceGroup
# Validate Redis resource ID for Private Endpoint connection
$redisResourceId = $redis.Id
# Link DNS Zone to Virtual Network
$link = New-AzPrivateDnsVirtualNetworkLink `
-ZoneName $dnsZoneName `
-ResourceGroupName $resourceGroup `
-Name $dnsLinkName `
-VirtualNetworkId $vnet.Id `
-EnableRegistration false
# Create the Private Endpoint
$privateLinkConnection = New-AzPrivateLinkServiceConnection `
-Name $privateEndpointName `
-PrivateLinkServiceId $redisResourceId `
-GroupId "redisCache"
$privateEndpoint = New-AzPrivateEndpoint `
-Name $privateEndpointName `
-ResourceGroupName $resourceGroup `
-Location $location `
-Subnet $subnet `
-PrivateLinkServiceConnection $privateLinkConnection
Unless configured at resource creation, by default no private links are used in Azure Cache for Redis.
| Controls Version | Control | IG 1 | IG 2 | IG 3 |
|---|---|---|---|---|
| v8 | 12.2 Establish and Maintain a Secure Network Architecture | X | X | |
| v7 | 14.1 Segment the Network Based on Sensitivity | X | X |
eBPF-based post-exploitation for kernel-level credential harvesting, process hiding, and traffic interception on Linux
AWS post-exploitation for IAM privilege escalation, data exfiltration, persistence, and operational security via boto3
Azure/Entra ID post-exploitation for tenant compromise, Key Vault extraction, managed identity abuse, and token manipulation
CI/CD pipeline attacks for secret extraction, pipeline injection, and supply chain compromise via GitHub/Jenkins/GitLab
Kubernetes post-exploitation for container escape, secret extraction, RBAC abuse, and cluster persistence
macOS post-exploitation for credential harvesting, DTrace monitoring, TCC bypass, and stealth operations via native tools