Control: 4.3.7 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
Description
It is recommended to disable access from Azure services to PostgreSQL Database Server. When access from Azure services is enabled, the server's firewall will accept connections from all Azure resources, including resources not in your subscription. This is usually not a desired configuration. Instead, setup firewall rules to allow access from specific network ranges or VNET rules to allow access from specific virtual networks.
Remediation
From Console
Perform the following action to check whether access from Azure services is enabled:
- Login to Azure console and navigate to PostgreSQL Servers.
- For each database, go to
Settings
section from left pane. - Click on
Connection security
. - In Firewall rules, ensure
Allow access to Azure services
is set to No.
From Command Line
Command to delete the AllowAllAzureIps rule for PostgreSQL Database
az postgres server firewall-rule delete --name AllowAllAzureIps --resource- group <resourceGroupName> --server-name <serverName>
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v140_4_3_7
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v140_4_3_7 --share
SQL
This control uses a named query:
manual_control