Control: App Service function apps public access should be restricted
Description
Anonymous public read access to function app in Azure App Service is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a function app unless your scenario requires it.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.appservice_function_app_restrict_public_accesSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.appservice_function_app_restrict_public_acces --shareSQL
This control uses a named query:
with public_function_app as ( select id from azure_app_service_function_app, jsonb_array_elements(configuration -> 'properties' -> 'ipSecurityRestrictions') as r where r ->> 'ipAddress' = 'Any' and r ->> 'action' = 'Allow')select fa.id as resource, case when p.id is null then 'ok' else 'alarm' end as status, case when p.id is null then name || ' not publicly accessible.' else name || ' publicly accessible.' end as reason , fa.resource_group as resource_group , sub.display_name as subscriptionfrom azure_app_service_function_app fa left join public_function_app as p on p.id = fa.id, azure_subscription subwhere sub.subscription_id = fa.subscription_id;