Benchmark: Information Flow Enforcement (AC-4)
Description
Enforce approved authorizations. Control information workflow between interconnected systems.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-azure-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select Information Flow Enforcement (AC-4).
Run this benchmark in your terminal:
powerpipe benchmark run azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4Snapshot and share results via Turbot Pipes:
powerpipe benchmark run azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4 --shareBenchmarks
Controls
- API Management services should use a virtual network
- App Configuration should use private link
- App Service apps should not have CORS configured to allow every resource to access your apps
- Azure Cache for Redis should use private link
- Cognitive Services should use private link
- Cognitive Services accounts should disable public network access
- Cognitive Services accounts should restrict network access
- Disk access resources should use private link
- Adaptive network hardening recommendations should be applied on internet facing virtual machines
- VM Image Builder templates should use private link
- Management ports of virtual machines should be protected with just-in-time network access control
- Non-internet-facing virtual machines should be protected with network security groups
- All network ports should be restricted on network security groups associated to your virtual machine
- Internet-facing virtual machines should be protected with network security groups
- Container registries should not allow unrestricted network access
- Container registries should use private link
- CosmosDB accounts should use private link
- Azure Cosmos DB accounts should have firewall rules
- Azure Data Factory should use private link
- Azure Event Grid domains should use private link
- Azure Event Grid topics should use private link
- Event Hub namespaces should use private link
- Azure API for FHIR should use private link
- IoT Hub device provisioning service instances should use private link
- Azure Key Vault should have firewall enabled
- Azure Key Vaults should use private link
- Authorized IP ranges should be defined on Kubernetes Services
- Private endpoint should be enabled for MariaDB servers
- Public network access should be disabled for MariaDB servers
- Private endpoint should be enabled for MySQL servers
- Public network access should be disabled for MySQL servers
- IP Forwarding on your virtual machine should be disabled
- Management ports should be closed on your virtual machines
- Subnets should be associated with a Network Security Group
- All Internet traffic should be routed via your deployed Azure Firewall
- Private endpoint should be enabled for PostgreSQL servers
- Public network access should be disabled for PostgreSQL servers
- Azure Cognitive Search services should disable public network access
- Azure Cognitive Search services should use private link
- Azure Cognitive Search service should use a SKU that supports private link
- Azure Service Bus namespaces should use private link
- Azure SignalR Service should use private link
- Public network access on Azure SQL Database should be disabled
- Private endpoint connections on Azure SQL Database should be enabled
- Storage account public access should be disallowed
- Storage accounts should restrict network access
- Storage accounts should restrict network access using virtual network rules
- Storage accounts should use private link
- Azure File Sync should use private link
- Azure Synapse workspaces should use private link
- Azure Web PubSub Service should use private link