Control: Service bus namespace should not be configured with overly permissive network access
Description
This policy identifies Azure Service bus namespaces configured with overly permissive network access. By default, Service Bus namespaces are accessible from the internet as long as the request comes with valid authentication and authorization. With an IP firewall, you can restrict it further to only a set of IPv4 addresses or IPv4 address ranges. With Virtual Networks, the network traffic path is secured on both ends. It is recommended to configure the Service bus namespace with an IP firewall or by Virtual Network; so that the Service bus namespace is accessible only to restricted entities.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.servicebus_namespace_no_overly_permissive_network_accessSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.servicebus_namespace_no_overly_permissive_network_access --shareSQL
This control uses a named query:
select a.id as resource, case when status = 'Active' and sku_tier = 'Premium' and network_rule_set -> 'properties' ->> 'defaultAction' = 'Allow' and network_rule_set -> 'properties' ->> 'publicNetworkAccess' = 'Enabled' then 'alarm' else 'ok' end as status, case when status = 'Active' and sku_tier = 'Premium' and network_rule_set -> 'properties' ->> 'defaultAction' = 'Allow' and network_rule_set -> 'properties' ->> 'publicNetworkAccess' = 'Enabled' then a.name || ' namespace configured with overly permissive network access.' else a.name || ' namespace not configured with overly permissive network access.' end as reason , a.resource_group as resource_group , sub.display_name as subscriptionfrom azure_servicebus_namespace a, azure_subscription sub;