rules/findings/azure/databases/azure_sql/azure-sql-public-network-access-enabled.json
|
{
"args": [], "provider": "Azure", "serviceType": "SQL Database", "serviceName": "Databases", "displayName": "Ensure that 'Public Network Access' is set to 'Disable'", "description": "Disabling public network access restricts the service from accessing public networks.", "rationale": "A secure network architecture requires carefully constructed network segmentation.<br/><br/>Public network access is overly permissive and introduces unintended vectors for threat activity.", "impact": "Disabling 'Public Network Access' forces the requirement of the use of Private Endpoints for network connectivity which will require some additional consideration from a network architecture perspective and will introduce cost based on the inbound/outbound data being processed by the Private Endpoint.", "remediation": { "text": " ##### From Azure Portal 1. Go to SQL servers. 2. For each SQL server, under Security, click Networking. 3. Set Public network access to Disable. 4. Click Save. From Azure CLI For each SQL server with publicNetworkAccess Enabled, set it to Disabled ", "code": { "powerShell": null, "iac": null, "terraform": null, "other": null } }, "recommendation": null, "references": [ "https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-2-secure-cloud-services-with-network-controls", "https://learn.microsoft.com/en-us/azure/azure-sql/database/connectivity-settings?view=azuresql&tabs=azure-portal#deny-public-network-access" ], "compliance": [ { "name": "CIS Microsoft Azure Database Services", "version": "2.0.0", "reference": "9.2", "profile": [ "Level 2" ] } ], "level": "medium", "tags": [], "rule": { "path": "az_sql_servers", "subPath": null, "selectCondition": {}, "query": [ { "filter": [ { "conditions": [ [ "networking.publicNetworkAccess", "eq", "Enabled" ] ] } ] } ], "shouldExist": null, "returnObject": null, "removeIfNotExists": null }, "output": { "html": { "data": { "properties": { "name": "Name", "location": "location", "resourceGroupName": "Resource Group Name", "networking.publicNetworkAccess":"Public Network Access" }, "expandObject": null }, "table": "default", "decorate": [ { "itemName": "Public Network Access", "itemValue": "enabled", "className": "badge badge-danger badge-xl" } ], "emphasis": [], "actions": { "objectData": { "properties": [ "id", "name", "location", "networking" ], "expandObject": null, "limit": null }, "showGoToButton": "True", "showModalButton": "True", "directLink": null } }, "text": { "data": { "properties": { "name": "Name", "location": "location", "resourceGroupName": "Resource Group Name", "networking.publicNetworkAccess":"Public Network Access" }, "expandObject": null }, "status": { "keyName": ["name"], "message": "Ensure that 'Public Network Access' is set to 'Disable' for {name}", "defaultMessage": null }, "properties": { "resourceName": "name", "resourceId": "id", "resourceType": "type" }, "onlyStatus": false } }, "idSuffix": "azure_sql_public_network_access", "notes": [], "categories": [], "immutable_properties": [ "name", "id" ], "id": "azure_sql_002" } |