Ensure 'Allow access to Azure services' for PostgreSQL Flexible Server is disabled

Disable access from Azure services to PostgreSQL Flexible Server

Risk Level: Low
Cloud Entity: PostgreSQL Flexible Server
CloudGuard Rule ID: D9.AZU.CRY.48
Covered by Spectral: Yes
Category: Database

GSL LOGIC

PostgreSQLFlexibleServer should not have firewallRules contain [ name regexMatch /AllowAllAzureServicesAndResourcesWithinAzureIps/ ]

REMEDIATION

From Portal

Login to Azure Portal using https://portal.azure.com.
Go to Azure Database for PostgreSQL Flexible server.
For each database, click on Networking.
Below Firewall rules,Ensure 'Allow public access from any Azure service within Azure to this server' is set to OFF.
Click Save.

From TF
Please check the 'start_ip_address' and 'end_ip_address' should not be set to 0.0.0.0 under 'azurerm_postgresql_flexible_server_firewall_rule' :

resource "azurerm_postgresql_flexible_server_firewall_rule" "example" {
	..
	start_ip_address    = "STARTIP"
	end_ip_address      = "ENDIP"
	..
}

From Command Line
Use the below command to delete the AllowAllAzureServicesAndResourcesWithinAzureIps rule for PostgreSQL Flexible Server.

az postgres flexible-server firewall-rule delete --name SERVERNAME --rule-name AllowAllAzureServicesAndResourcesWithinAzureIps --resource-group RESOURCEGROUPNAME

References

PostgreSQL Flexible Server

Azure Database for PostgreSQL - Flexible Server is a fully managed PostgreSQL database as a service offering that can handle mission-critical workloads with predictable performance and dynamic scalability

Compliance Frameworks

Azure CIS Foundations v. 1.2.0
Azure CIS Foundations v. 1.3.0
Azure CIS Foundations v. 1.3.1
Azure CIS Foundations v. 1.4.0
Azure CloudGuard Best Practices
Azure NIST 800-53 Rev 5
CloudGuard Azure All Rules Ruleset

Updated about 1 year ago