โญ Repository โ ๐ Compliance Engine โ ๐ CloudAware โ ๐ Azure โ ๐ Virtual Network
๐ก๏ธ Azure Network Security Group allows public access to MySQL port๐ข
- Contextual name: ๐ก๏ธ Security Group allows public access to MySQL port๐ข
- ID:
/ce/ca/azure/virtual-network/security-group-allows-unrestricted-traffic-to-mysql - Tags:
- ๐ข Policy with categories
- ๐ข Policy with type
- ๐ข Production policy
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Logicโ
- ๐ง prod.logic.yaml๐ข
Descriptionโ
Descriptionโ
Ensure that Azure Network Security Groups hosting MySQL instances are not configured to allow unrestricted inbound access to port 3306.
Network Security Group (NSG) rules should be reviewed and adjusted to limit traffic to only trusted IP addresses or internal networks, reducing the risk of unauthorized access and exposure to external threats.
Rationalโ
Unrestricted access to MySQL on port 3306 significantly increases the risk of unauthorized access, brute-force attacks, data exfiltration, and exploitation of SQL injection vulnerabilities. MySQL instances exposed to the internet without appropriate access controls are prime targets for malicious actors, who may attempt to exploit weak authentication mechanisms or known vulnerabilities in the MySQL server. By restricting access to trusted IP addresses or internal networks, only authorized users and systems can interact with the database, safeguarding sensitive data and reducing the attack surface.
Impactโ
Restricting access to MySQL may require careful configuration of Security Groups to ensure that legitimate applications and users retain necessary access to the database. Proper planning and testing are essential to maintain service availability while ensuring security.
... see more
Remediationโ
Remediationโ
Modify or Remove Insecure NSG Ruleโ
Review the security rules associated with the relevant Network Security Group (NSG) and determine whether they are required. Take appropriate action based on necessity and scope:
If the rule is not required: Remove the rule entirely.
If the rule is required but overly permissive: Update the rule to narrowly scope access, restricting the source IP range to only what is strictly necessary.
Azure CLIโ
Delete the rule:
az network nsg rule delete \
--resource-group {{resource-group-name}} \
--nsg-name {{nsg-name}} \
--name {{rule-name}}Restrict the rule:
az network nsg rule update \
--resource-group {{resource-group-name}} \
--nsg-name {{nsg-name}} \
--name {{rule-name}} \
--source-address-prefixes {{trusted-cidr}}Replace placeholders with the appropriate values. Use space-separated values for multiple source prefixes or destination ports (e.g.,
--source-address-prefixes "1.2.3.4/32 5.6.7.8/32").... see more
policy.yamlโ
Linked Framework Sectionsโ
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| ๐ผ Cloudaware Framework โ ๐ผ Public and Anonymous Access | 80 | no data |