Ensure that PostgreSQL (TCP:5432) is restricted from the Internet
Disable PostgreSQL (TCP:5432) access on network security groups from the Internet.
Risk Level: High
Cloud Entity: Network security group
CloudGuard Rule ID: D9.AZU.NET.47
Covered by Spectral: Yes
Category: Networking & Content Delivery
GSL LOGIC
NetworkSecurityGroup should not have inboundSecurityRules contain [ destinationPortRanges contain [ destinationPort<=5432 and destinationPortTo>=5432 ] and protocol in('TCP', 'All') and action='ALLOW' and sourceAddressPrefixes contain [ '0.0.0.0/0' ] ]
REMEDIATION
Azure Console:
- Navigate to the 'All services'
- Navigate to the Networking, and select 'Network security groups'
- Select the Network security group to be modified
- Under Settings, select 'Inbound security rules'
- Select the rule to be modified and edit it to allow only specific IP addresses or protocols
From TF
resource "azurerm_network_security_group" "test" {
security_rule {
- destination_port_ranges= ["5432",]
- protocol = "Tcp"
- access = "Allow"
- source_port_range = "*"
}
}
References
https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices
Network security group
You can filter network traffic to and from Azure resources in an Azure virtual network with a network security group. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.
Compliance Frameworks
- Azure CloudGuard Best Practices
- Azure NIST 800-53 Rev 5
- CloudGuard Azure All Rules Ruleset
Updated about 1 year ago