Control: App Service Web App CORS policies should prohibit public access
Description
Azure App Service Web App Cross-Origin Resource Sharing (CORS) policies should not allow unrestricted access from any origin that could enable public access.
Usage
Run the control in your terminal:
powerpipe control run azure_perimeter.control.appservice_web_app_cors_prohibit_public_access
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_perimeter.control.appservice_web_app_cors_prohibit_public_access --share
Steampipe Tables
SQL
select a.id as resource, case when configuration -> 'properties' -> 'cors' -> 'allowedOrigins' @> '["*"]' then 'alarm' else 'ok' end as status, case when configuration -> 'properties' -> 'cors' -> 'allowedOrigins' @> '["*"]' then a.name || ' CORS policy allows all domains to access the application.' else a.name || ' CORS does not allow all domains to access the application.' end as reason , a.resource_group as resource_group , sub.display_name as subscriptionfrom azure_app_service_web_app as a, azure_subscription as subwhere sub.subscription_id = a.subscription_id;