Ensure FTP deployments are Disabled for FunctionApp

By default, Azure Functions, Web and API Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions.

Risk Level: Low
Cloud Entity: Azure functions
CloudGuard Rule ID: D9.AZU.CRY.46
Covered by Spectral: No
Category: Compute

GSL LOGIC

FunctionApp should have ftpState in('FtpsOnly', 'Disabled')

REMEDIATION

From Portal

  1. Login to Azure Portal using https://portal.azure.com.
  2. Go to 'App Services'.
  3. Click on each FunctionApp.
  4. Under 'Settings' section, click on 'Configuration'.
  5. Click on the 'General settings' pane, for the Platform Settings, the FTP state should not be set to All allowed.
  6. Click Save.

From TF

Set the ftps_state argument as below:

resource "azurerm_app_service" "example" {
	..
	ftps_state = "FtpsOnly"
	..
}

From Command Line
Run

az functionapp config set --resource-group RESOURCEGROUP --name FunctionApp --ftps-state FtpsOnly

References

  1. https://docs.microsoft.com/en-us/azure/app-service/configure-language-php?pivots=platform-windows
  2. https://docs.microsoft.com/en-us/cli/azure/FunctionApp/config?view=azure-cli-latest#az-functionapp-config-set
  3. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/windows_web_app#ftps_state

Azure functions

Azure Functions is a serverless solution that allows you to write less code, maintain less infrastructure, and save on costs. Instead of worrying about deploying and maintaining servers, the cloud infrastructure provides all the up-to-date resources needed to keep your applications running.

Compliance Frameworks

  • Azure CIS Foundations v. 1.2.0
  • Azure CIS Foundations v. 1.3.0
  • Azure CloudGuard Best Practices
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset