Ensure 'Allow access to Azure services' for PostgreSQL Flexible Server is disabled
Disable access from Azure services to PostgreSQL Flexible Server
Risk Level: Low
Cloud Entity: PostgreSQL Flexible Server
CloudGuard Rule ID: D9.AZU.CRY.48
Covered by Spectral: Yes
Category: Database
GSL LOGIC
PostgreSQLFlexibleServer should not have firewallRules contain [ name regexMatch /AllowAllAzureServicesAndResourcesWithinAzureIps/ ]
REMEDIATION
From Portal
- Login to Azure Portal using https://portal.azure.com.
- Go to
Azure Database
forPostgreSQL Flexible server
. - For each database, click on
Networking
. - Below
Firewall rules
,Ensure 'Allow public access from any Azure service within Azure to this server' is set toOFF
. - Click
Save
.
From TF
Please check the 'start_ip_address' and 'end_ip_address' should not be set to 0.0.0.0 under 'azurerm_postgresql_flexible_server_firewall_rule' :
resource "azurerm_postgresql_flexible_server_firewall_rule" "example" {
..
start_ip_address = "STARTIP"
end_ip_address = "ENDIP"
..
}
From Command Line
Use the below command to delete the AllowAllAzureServicesAndResourcesWithinAzureIps rule for PostgreSQL Flexible Server.
az postgres flexible-server firewall-rule delete --name SERVERNAME --rule-name AllowAllAzureServicesAndResourcesWithinAzureIps --resource-group RESOURCEGROUPNAME
References
- https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-networking
- https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/how-to-manage-firewall-cli
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_flexible_server_firewall_rule
PostgreSQL Flexible Server
Azure Database for PostgreSQL - Flexible Server is a fully managed PostgreSQL database as a service offering that can handle mission-critical workloads with predictable performance and dynamic scalability
Compliance Frameworks
- Azure CIS Foundations v. 1.2.0
- Azure CIS Foundations v. 1.3.0
- Azure CIS Foundations v. 1.3.1
- Azure CIS Foundations v. 1.4.0
- Azure CloudGuard Best Practices
- Azure NIST 800-53 Rev 5
- CloudGuard Azure All Rules Ruleset
Updated over 1 year ago