Control: Azure File Sync should use private link
Description
Creating a private endpoint for the indicated Storage Sync Service resource allows you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. Creating a private endpoint by itself does not disable the public endpoint.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.storage_sync_private_link_usedSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.storage_sync_private_link_used --shareSQL
This control uses a named query:
with storagesync_service_connection as ( select distinct a.id from azure_storage_sync as a, jsonb_array_elements(private_endpoint_connections) as connection where connection -> 'PrivateLinkServiceConnectionState' ->> 'status' = 'Approved')select a.id as resource, case when incoming_traffic_policy = 'AllowAllTraffic' then 'alarm' when c.id is null then 'alarm' else 'ok' end as status, case when incoming_traffic_policy = 'AllowAllTraffic' then a.name || ' using public networks.' when c.id is null then a.name || ' not uses private link.' else a.name || ' uses private link.' end as reason , a.resource_group as resource_group , sub.display_name as subscriptionfrom azure_storage_sync as a left join storagesync_service_connection as c on c.id = a.id, azure_subscription as subwhere sub.subscription_id = a.subscription_id;