🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
13Dashboards
1311Benchmarks
430Queries
2Variables
GitHub

Control: Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP)

Description

Ensure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP).

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.sql_database_allow_internet_access

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.sql_database_allow_internet_access --share

SQL

This control uses a named query:

select
  s.id resource,
  case
    when firewall_rules @> '[{"properties":{"endIpAddress":"0.0.0.0","startIpAddress":"0.0.0.0"}}]'
    or firewall_rules @> '[{"properties":{"endIpAddress":"255.255.255.255","startIpAddress":"0.0.0.0"}}]'
      then 'alarm'
      else 'ok'
  end as status,
  case
    when firewall_rules @> '[{"properties":{"endIpAddress":"0.0.0.0","startIpAddress":"0.0.0.0"}}]'
    or firewall_rules @> '[{"properties":{"endIpAddress":"255.255.255.255","startIpAddress":"0.0.0.0"}}]'
      then s.title || ' allows ingress 0.0.0.0/0 or any ip over internet.'
      else s.title || ' not allows ingress 0.0.0.0/0 or any ip over internet.'
  end as reason
  
  , s.resource_group as resource_group
  , sub.display_name as subscription
from
  azure_sql_server s,
  azure_subscription sub
where
  sub.subscription_id = s.subscription_id;

Tags

service = Azure/SQL