Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-perimeter
Overview
2Dashboards
14Benchmarks
0Queries
3Variables
GitHub

Control: Network interfaces should not have a public IP address

Description

Azure network interfaces should not be assigned public IP addresses unless explicitly required for the workload to minimize internet exposure.

Usage

Run the control in your terminal:

powerpipe control run azure_perimeter.control.network_interface_not_attached_to_public_ip

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_perimeter.control.network_interface_not_attached_to_public_ip --share

Steampipe Tables

azure_network_interface
azure_subscription
Azure plugin

SQL

with nic_public_ips as (
  select
    ni.id,
    ni.name,
    ni.tags,
    ni.resource_group,
    ni._ctx,
    ni.region,
    ni.subscription_id,
    case
      when jsonb_path_exists(ni.ip_configurations, '$[*].properties.publicIPAddress.id') then 'has_public_ip'
      else 'no_public_ip'
    end as public_ip_status
  from
    azure_network_interface ni
)
select
  nip.id as resource,
  case
    when public_ip_status = 'no_public_ip' then 'ok'
    else 'alarm'
  end as status,
  case
    when public_ip_status = 'no_public_ip' then nip.name || ' does not have public IP addresses.'
    else nip.name || ' has public IP addresses assigned.'
  end as reason
  
  , nip.resource_group as resource_group
  , sub.display_name as subscription
from
  nic_public_ips nip,
  azure_subscription sub
where
  sub.subscription_id = nip.subscription_id;

Tags

category = Perimeter
plugin = azure
service = Azure/Network