Control: App Service apps should not have CORS configured to allow every resource to access your apps
Description
Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.appservice_api_app_cors_no_starSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.appservice_api_app_cors_no_star --shareSQL
This control uses a named query:
with all_api_app as ( select id from azure_app_service_web_app where exists ( select from unnest(regexp_split_to_array(kind, ',')) elem where elem like '%api' ))select a.id as resource, case when b.id is null then 'skip' when configuration -> 'properties' -> 'cors' -> 'allowedOrigins' @> '["*"]' then 'alarm' else 'ok' end as status, case when b.id is null then a.title || ' is ' || a.kind || ' kind.' when configuration -> 'properties' -> 'cors' -> 'allowedOrigins' @> '["*"]' then a.name || ' CORS allow all domains to access the application.' else a.name || ' CORS does not all domains to access the application.' end as reason , a.resource_group as resource_group , sub.display_name as subscriptionfrom azure_app_service_web_app as a left join all_api_app as b on a.id = b.id, azure_subscription as subwhere sub.subscription_id = a.subscription_id;