Control: 6.3 Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP)
Description
Ensure that no SQL Databases allow ingress from 0.0.0.0/0
(ANY IP).
SQL Server includes a firewall to block access to unauthorized connections. More granular IP addresses can be defined by referencing the range of addresses available from specific datacenters.
By default, for a SQL server, a Firewall exists with StartIp
of 0.0.0.0
and EndIP
of 0.0.0.0
allowing access to all the Azure services.
Additionally, a custom rule can be set up with StartIp
of 0.0.0.0
and EndIP
of 255.255.255.255
allowing access from ANY IP over the Internet.
In order to reduce the potential attack surface for a SQL server, firewall rules should be defined with more granular IP addresses by referencing the range of addresses available from specific datacenters.
By default, setting Allow access to Azure Services is set to ON allowing access to all Windows Azure IP ranges.
Remediation
From Console
- Login to Azure console, go to SQL servers
- For each SQL server
- Click on
Firewall / Virtual Networks
under security section from side bar - Set
Allow access to Azure services
to OFF - Set firewall rules to limit access to only authorized connections
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v130_6_3
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v130_6_3 --share
SQL
This control uses a named query:
sql_database_allow_internet_access