Control: 4.3.8 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
Description
It is recommended to disable access from Azure services to PostgreSQL Database Server. When access from Azure services is enabled, the server's firewall will accept connections from all Azure resources, including resources not in your subscription. This is usually not a desired configuration. Instead, setup firewall rules to allow access from specific network ranges or VNET rules to allow access from specific virtual networks.
Remediation
From Console
Perform the following action to check whether access from Azure services is enabled:
- Login to Azure console and navigate to PostgreSQL Servers.
- For each database, go to
Settingssection from left pane. - Click on
Connection security. - In Firewall rules, ensure
Allow access to Azure servicesis set to No.
Perform the following action to disable access from Azure services:
- Login to Azure console and navigate to PostgreSQL Servers.
- For each database, go to
Settingssection from left pane. - Click on
Connection security. - In Firewall rules, click No for
Allow access to Azure services.
From Command Line
Command to delete the AllowAllAzureIps rule for PostgreSQL Database
az postgres server firewall-rule delete --name AllowAllAzureIps --resource- group <resourceGroupName> --server-name <serverName>
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v130_4_3_8Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v130_4_3_8 --shareSQL
This control uses a named query:
manual_control