Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
16Dashboards
1651Benchmarks
486Queries
8Variables
GitHub

Control: 6.3 Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP)

Description

Ensure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP).

SQL Server includes a firewall to block access to unauthorized connections. More granular IP addresses can be defined by referencing the range of addresses available from specific datacenters.

By default, for a SQL server, a Firewall exists with StartIp of 0.0.0.0 and EndIP of 0.0.0.0 allowing access to all the Azure services.

Additionally, a custom rule can be set up with StartIp of 0.0.0.0 and EndIP of 255.255.255.255 allowing access from ANY IP over the Internet.

In order to reduce the potential attack surface for a SQL server, firewall rules should be defined with more granular IP addresses by referencing the range of addresses available from specific datacenters.

By default, setting Allow access to Azure Services is set to ON allowing access to all Windows Azure IP ranges.

Remediation

From Console

  1. Login to Azure console, go to SQL servers
  2. For each SQL server
  3. Click on Firewall / Virtual Networks under security section from side bar
  4. Set Allow access to Azure services to OFF
  5. Set firewall rules to limit access to only authorized connections

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v130_6_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v130_6_3 --share

SQL

This control uses a named query:

select
  s.id resource,
  case
    when firewall_rules @> '[{"properties":{"endIpAddress":"0.0.0.0","startIpAddress":"0.0.0.0"}}]'
    or firewall_rules @> '[{"properties":{"endIpAddress":"255.255.255.255","startIpAddress":"0.0.0.0"}}]'
      then 'alarm'
      else 'ok'
  end as status,
  case
    when firewall_rules @> '[{"properties":{"endIpAddress":"0.0.0.0","startIpAddress":"0.0.0.0"}}]'
    or firewall_rules @> '[{"properties":{"endIpAddress":"255.255.255.255","startIpAddress":"0.0.0.0"}}]'
      then s.title || ' allows ingress 0.0.0.0/0 or any ip over internet.'
      else s.title || ' not allows ingress 0.0.0.0/0 or any ip over internet.'
  end as reason
  
  , s.resource_group as resource_group
  , sub.display_name as subscription
from
  azure_sql_server s
  left join azure_subscription sub on sub.subscription_id = s.subscription_id;

Tags

category = Compliance
cis = true
cis_item_id = 6.3
cis_level = 1
cis_section_id = 6
cis_type = automated
cis_version = v1.3.0
plugin = azure
service = Azure/Network