Control: 2.2.2.1 Ensure Private Endpoints are used to access {service}
Overview
Use private endpoints to allow clients and services to securely access data located over a network via an encrypted Private Link. To do this, the private endpoint uses an IP address from the VNet for each service. Network traffic between disparate services securely traverses encrypted over the VNet. This VNet can also link addressing space, extending your network and accessing resources on it. Similarly, it can be a tunnel through public networks to connect remote infrastructures together. This creates further security through segmenting network traffic and preventing outside sources from accessing it.
Securing traffic between services through encryption protects the data from easy interception and reading.
Default Value
By default, Private Endpoints are not created for services.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v400_2_2_2_1Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v400_2_2_2_1 --shareSQL
This control uses a named query:
with storage_account_connection as ( select distinct a.id from azure_storage_account as a, jsonb_array_elements(private_endpoint_connections) as connection where connection -> 'properties' -> 'privateLinkServiceConnectionState' ->> 'status' = 'Approved')select distinct a.id as resource, case when s.id is null then 'alarm' else 'ok' end as status, case when s.id is null then a.name || ' not uses private link.' else a.name || ' uses private link.' end as reason , a.resource_group as resource_group , sub.display_name as subscriptionfrom azure_storage_account as a left join storage_account_connection as s on a.id = s.id, azure_subscription as subwhere sub.subscription_id = a.subscription_id;