Skip to main content

πŸ›‘οΈ Azure PostgreSQL Flexible Server Firewall Rules allow access to Azure services🟒

  • Contextual name: πŸ›‘οΈ Flexible Server Firewall Rules allow access to Azure services🟒
  • ID: /ce/ca/azure/postgresql-database/disable-flexible-server-allows-access-to-azure-services
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic​

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-bf1f13f61

Description​

Open File

Description​

Disable access from Azure services to PostgreSQL flexible server.

Rationale​

If access from Azure services is enabled, the server's firewall will accept connections from all Azure resources, including resources not in your subscription. This is usually not a desired configuration. Instead, set up firewall rules to allow access from specific network ranges or VNET rules to allow access from specific virtual networks.

Audit​

From Azure Portal​
  1. Login to Azure Portal using https://portal.azure.com.
  2. Go to Azure Database for PostgreSQL flexible servers.
  3. For each database, under Settings, click Networking.
  4. Under Firewall rules, ensure Allow public access from any Azure service within Azure to this server is not checked.
From Azure CLI​

Ensure the below command does not return a rule with a name beginning AllowAllAzureServicesAndResourcesWithinAzureIps or with "startIpAddress": "0.0.0.0" or "endIpAddress": "0.0.0.0":

az postgres flexible-server firewall-rule list --resource-group <resourceGroup> --name <serverName>

... [see more](description.md)

Remediation​

Open File

Remediation​

From Azure Portal​

  1. Login to Azure Portal using https://portal.azure.com.
  2. Go to Azure Database for PostgreSQL flexible servers.
  3. For each database, under Settings, click Networking.
  4. Under Firewall rules, uncheck Allow public access from any Azure service within Azure to this server.
  5. Click Save.

From Azure CLI​

Using the firewall rule name from the Audit from Azure CLI steps, use the below command to delete the AllowAllAzureServicesAndResourcesWithinAzureIps rule for PostgreSQL flexible server:

az postgres flexible-server firewall-rule delete --resource-group <resourceGroup> --name <serverName> --rule-name <ruleName>

Type y and press enter to confirm.

From PowerShell​

Using the firewall rule name from the Audit from PowerShell steps, use the below command to delete the AllowAllAzureServicesAndResourcesWithinAzureIps rule for PostgreSQL flexible server:

Remove-AzPostgreSqlFlexibleServerFirewallRule -ResourceGroupName <resourceGroup> -ServerName <serverName> -Name <ruleName>

... [see more](remediation.md)

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό CIS Azure v1.3.0 β†’ πŸ’Ό 4.3.8 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled - Level 1 (Manual)11no data
πŸ’Ό CIS Azure v1.4.0 β†’ πŸ’Ό 4.3.7 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled - Level 1 (Manual)11no data
πŸ’Ό CIS Azure v1.5.0 β†’ πŸ’Ό 4.3.7 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled - Level 1 (Manual)11no data
πŸ’Ό CIS Azure v2.0.0 β†’ πŸ’Ό 4.3.7 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled - Level 1 (Automated)11no data
πŸ’Ό CIS Azure v2.1.0 β†’ πŸ’Ό 4.3.7 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled - Level 1 (Automated)11no data
πŸ’Ό CIS Azure v3.0.0 β†’ πŸ’Ό 5.2.5 Ensure 'Allow public access from any Azure service within Azure to this server' for PostgreSQL flexible server is disabled (Automated)1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Secure Access57no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)3768no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4(21) Physical or Logical Separation of Information Flows (M)(H)1148no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7(5) Deny by Default β€” Allow by Exception (M)(H)18no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)68no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)68no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-4(21) Physical or Logical Separation of Information Flows (M)(H)48no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-7(5) Deny by Default β€” Allow by Exception (M)(H)18no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.9.1.2 Access to networks and network services1718no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.9.4.1 Information access restriction1920no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties1756no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-5: Protections against data leaks are implemented4791no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities2130no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties116no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected148no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected125no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected142no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows3748no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(5) Boundary Protection _ Deny by Default β€” Allow by Exception418no data
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.1-8 Manages Identification and Authentication1824no data
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 1.2 Prevent access to the administrative interface from the internet3638no data