Benchmark: 3.13.6 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception)
Description
This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-azure-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 3.13.6 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
Run this benchmark in your terminal:
powerpipe benchmark run azure_compliance.benchmark.nist_sp_800_171_rev_2_3_13_6
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run azure_compliance.benchmark.nist_sp_800_171_rev_2_3_13_6 --share
Controls
- Web Application Firewall (WAF) should be enabled for Application Gateway
- Cognitive Services accounts should have local authentication methods disabled
- Management ports of virtual machines should be protected with just-in-time network access control
- All network ports should be restricted on network security groups associated to your virtual machine
- Internet-facing virtual machines should be protected with network security groups
- Container registries should not allow unrestricted network access
- Azure Cosmos DB accounts should have firewall rules
- Web Application Firewall (WAF) should be enabled for Azure Front Door Service
- Azure Key Vault should have firewall enabled
- Authorized IP ranges should be defined on Kubernetes Services
- Public network access should be disabled for MariaDB servers
- Public network access should be disabled for MySQL servers
- Management ports should be closed on your virtual machines
- Subnets should be associated with a Network Security Group
- Public network access should be disabled for PostgreSQL servers
- Azure Cognitive Search services should disable public network access
- Public network access on Azure SQL Database should be disabled
- Storage account public access should be disallowed
- Storage accounts should restrict network access
- Storage accounts should restrict network access using virtual network rules