Restrict Azure Bastion copy and paste by policy
The Public Preview of the Bastion host allows copy and paste to and from the target host to the browser session and then the local machine. There is a requirement to restrict this capability to help reduce data loss. Perhaps this could be by policy?
Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature
This is work in progress. We hope to make this available over next couple of months.
Product Manager, Azure Bastion
Austin Sabel commented
Strongly agree with this. The concern with this is if you intend to use Azure Bastion in an environment with compliance concerns like (PCI, HIPPA, SOC, etc) even when the target VM has group policies applied that restrict copy and paste over RDP, it appears the Bastion functionality supersedes this.
This could easily be exploited for data ex-filtration including binary files with little effort, as evidenced by the following powershell example run inside a bastion session:
"super secret data" | Set-Content -Path "test.txt"
[Convert]::ToBase64String([IO.File]::ReadAllBytes("test.txt")) | clip
Then simply decoding it back on your local system:
[IO.File]::WriteAllBytes("test.txt", [Convert]::FromBase64String((Get-Clipboard -Raw).toString()))