Control: Network security groups should restrict outbound access from internet
Description
Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted outbound access.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.network_security_group_outbound_access_restrictedSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.network_security_group_outbound_access_restricted --shareSQL
This control uses a named query:
with unrestricted_outbound as ( select distinct name sg_name from azure_network_security_group nsg, jsonb_array_elements(security_rules || default_security_rules ) sg, jsonb_array_elements_text( case when jsonb_array_length(sg -> 'properties' -> 'destinationPortRanges') > 0 then (sg -> 'properties' -> 'destinationPortRanges') else jsonb_build_array(sg -> 'properties' -> 'destinationPortRange') end ) as dport, jsonb_array_elements_text( case when jsonb_array_length(sg -> 'properties' -> 'sourceAddressPrefixes') > 0 then (sg -> 'properties' -> 'sourceAddressPrefixes') else jsonb_build_array(sg -> 'properties' -> 'sourceAddressPrefix') end ) as sip where sg -> 'properties' ->> 'access' = 'Allow' and sg -> 'properties' ->> 'direction' = 'Outbound' and sip in ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '<nw>/0', '/0') and dport = '*')select sg.id resource, case when nsg.sg_name is null then 'ok' else 'alarm' end as status, case when nsg.sg_name is null then sg.title || ' restricts outbound access from internet.' else sg.title || ' allows outbound access from internet.' end as reason , sg.resource_group as resource_group , sub.display_name as subscriptionfrom azure_network_security_group sg left join unrestricted_outbound nsg on nsg.sg_name = sg.name join azure_subscription sub on sub.subscription_id = sg.subscription_id;