Control: Cognitive Services accounts should restrict network access
Description
Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cognitive_account_restrict_public_accessSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cognitive_account_restrict_public_access --shareSQL
This control uses a named query:
with account_with_public_access_restricted as ( select a.id from azure_cognitive_account as a, jsonb_array_elements(capabilities) as c where c ->> 'name' = 'VirtualNetworks' and network_acls ->> 'defaultAction' <> 'Deny')select distinct a.name as resource, case when b.id is not null then 'alarm' else 'ok' end as status, case when b.id is not null then a.name || ' publicly accessible.' else a.name || ' publicly not accessible.' end as reason , a.resource_group as resource_group , sub.display_name as subscriptionfrom azure_cognitive_account as a left join account_with_public_access_restricted as b on a.id = b.id, azure_subscription as subwhere sub.subscription_id = a.subscription_id;