Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled

Disable access from Azure services to PostgreSQL Database Server

Risk Level: Low
Cloud Entity: Azure Database for PostgreSQL
CloudGuard Rule ID: D9.AZU.CRY.38
Covered by Spectral: No
Category: Database

GSL LOGIC

PostgreSQL should not have firewallRules contain-any [ name='AllowAllWindowsAzureIps']

REMEDIATION

From Portal

  1. Login to Azure Portal using https://portal.azure.com
  2. Go to Azure Database for PostgreSQL server
  3. For each database, click on Connection security
  4. In Firewall rules
  5. Ensure Allow access to Azure services is set to OFF.
  6. Click Save to apply the changes to the rule.

From TF
Please check the 'start_ip_address' and 'end_ip_address' should not be set to 0.0.0.0 under 'azurerm_postgresql_firewall_rule' :

resource "azurerm_postgresql_firewall_rule" "example" {
	..
	start_ip_address    = "STARTIP"
	end_ip_address      = "ENDIP"
	..
}

From Command Line
Use the below command to delete the AllowAllAzureIps rule for PostgreSQL Database.

az postgres server firewall-rule delete --name AllowAllAzureIps --resource-group RESOURCEGROUPNAME --server-name SERVERNAME

References

  1. https://docs.microsoft.com/en-us/azure/postgresql/concepts-firewall-rules
  2. https://learn.microsoft.com/en-us/cli/azure/postgres/server/firewall-rule?view=azure-cli-latest#az-postgres-server-firewall-rule-delete
  3. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_firewall_rule

Azure Database for PostgreSQL

Azure Database for PostgreSQL is a relational database service based on the open-source Postgres database engine. It's a fully managed database as a service offering that can handle mission-critical workloads with predictable performance, security, high availability, and dynamic scalability. It's available in two deployment options, Single Server and Hyperscale (Citus) (preview). The Hyperscale (Citus) option horizontally scales queries across multiple machines using sharding, and serves applications that require greater scale and performance

Compliance Frameworks

  • Azure CIS Foundations v. 1.2.0
  • Azure CIS Foundations v. 1.3.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CloudGuard Best Practices
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset