Benchmark: 2.2.2.1 Ensure Private Endpoints are used to access {service}
Overview
Use private endpoints to allow clients and services to securely access data located over a network via an encrypted Private Link. To do this, the private endpoint uses an IP address from the VNet for each service. Network traffic between disparate services securely traverses encrypted over the VNet. This VNet can also link addressing space, extending your network and accessing resources on it. Similarly, it can be a tunnel through public networks to connect remote infrastructures together. This creates further security through segmenting network traffic and preventing outside sources from accessing it.
Securing traffic between services through encryption protects the data from easy interception and reading.
Default Value
By default, Private Endpoints are not created for services.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-azure-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 2.2.2.1 Ensure Private Endpoints are used to access {service}.
Run this benchmark in your terminal:
powerpipe benchmark run azure_compliance.benchmark.cis_v400_2_2_2_1
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run azure_compliance.benchmark.cis_v400_2_2_2_1 --share
Controls
- App Configuration should use private link
- Cognitive Services should use private link
- Disk access resources should use private link
- Container registries should use private link
- CosmosDB accounts should use private link
- Azure Data Factory should use private link
- Azure Event Grid domains should use private link
- Azure Event Grid topics should use private link
- Event Hub namespaces should use private link
- Azure API for FHIR should use private link
- IoT Hub device provisioning service instances should use private link
- Azure Key Vaults should use private link
- Private endpoint should be enabled for MariaDB servers
- Private endpoint should be enabled for MySQL servers
- Private endpoint should be enabled for PostgreSQL servers
- Recovery Services vaults should use private link
- Azure Cache for Redis should use private link
- Azure Cognitive Search services should use private link
- Azure Service Bus namespaces should use private link
- Azure SignalR Service should use private link
- Private endpoint connections on Azure SQL Database should be enabled
- Storage accounts should use private link
- Azure File Sync should use private link
- Azure Synapse workspaces should use private link