turbot/steampipe-mod-terraform-azure-compliance

Control: Cognitive Services accounts should restrict network access

Description

Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.

Usage

Run the control in your terminal:

powerpipe control run terraform_azure_compliance.control.cognitive_account_restrict_public_access

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run terraform_azure_compliance.control.cognitive_account_restrict_public_access --share

SQL

This control uses a named query:

select
address as resource,
case
when (attributes_std -> 'network_acls') is null then 'alarm'
when (attributes_std -> 'network_acls' ->> 'default_action') <> 'Deny' then 'alarm'
else 'ok'
end status,
split_part(address, '.', 2) || case
when (attributes_std -> 'network_acls') is null then ' ''network_acls'' not defin'
when (attributes_std -> 'network_acls' ->> 'default_action') <> 'Deny' then ' publicly accessible.'
else ' publicly not accessible'
end || '.' reason
, path || ':' || start_line
from
terraform_resource
where
type = 'azurerm_cognitive_account';

Tags