Benchmark: 3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks
Description
Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones (DMZs). DMZs are typically implemented with boundary control devices and techniques that include routers, gateways, firewalls, virtualization, or cloud-based technologies.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-azure-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
Run this benchmark in your terminal:
powerpipe benchmark run azure_compliance.benchmark.nist_sp_800_171_rev_2_3_13_5
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run azure_compliance.benchmark.nist_sp_800_171_rev_2_3_13_5 --share
Controls
- API Management services should use a virtual network
- App Configuration should use private link
- Web Application Firewall (WAF) should be enabled for Application Gateway
- Cognitive Services should use private link
- Cognitive Services accounts should have local authentication methods disabled
- Disk access resources should use private link
- Management ports of virtual machines should be protected with just-in-time network access control
- All network ports should be restricted on network security groups associated to your virtual machine
- Internet-facing virtual machines should be protected with network security groups
- Container registries should not allow unrestricted network access
- Container registries should use private link
- CosmosDB accounts should use private link
- Azure Cosmos DB accounts should have firewall rules
- Azure Data Factory should use private link
- Azure Event Grid domains should use private link
- Azure Event Grid topics should use private link
- Event Hub namespaces should use private link
- Web Application Firewall (WAF) should be enabled for Azure Front Door Service
- Azure API for FHIR should use private link
- IoT Hub device provisioning service instances should use private link
- Azure Key Vault should have firewall enabled
- Azure Key Vaults should use private link
- Authorized IP ranges should be defined on Kubernetes Services
- Private endpoint should be enabled for MariaDB servers
- Public network access should be disabled for MariaDB servers
- Private endpoint should be enabled for MySQL servers
- Public network access should be disabled for MySQL servers
- IP Forwarding on your virtual machine should be disabled
- Management ports should be closed on your virtual machines
- Subnets should be associated with a Network Security Group
- Private endpoint should be enabled for PostgreSQL servers
- Public network access should be disabled for PostgreSQL servers
- Azure Cache for Redis should use private link
- Azure Cognitive Search services should disable public network access
- Azure Cognitive Search services should use private link
- Azure Cognitive Search service should use a SKU that supports private link
- Azure Service Bus namespaces should use private link
- Azure SignalR Service should use private link
- Public network access on Azure SQL Database should be disabled
- Private endpoint connections on Azure SQL Database should be enabled
- Storage account public access should be disallowed
- Storage accounts should restrict network access
- Storage accounts should restrict network access using virtual network rules
- Storage accounts should use private link
- Azure File Sync should use private link
- Azure Synapse workspaces should use private link