โญ Repository โ ๐ Compliance Engine โ ๐ CloudAware โ ๐ Azure โ ๐ Virtual Network
๐ก๏ธ Azure Network Security Group allows public access to PostgreSQL port๐ข
- Contextual name: ๐ก๏ธ Security Group allows public access to PostgreSQL port๐ข
- ID:
/ce/ca/azure/virtual-network/security-group-allows-unrestricted-traffic-to-postgresql - Tags:
- ๐ข Policy with categories
- ๐ข Policy with type
- ๐ข Production policy
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Logicโ
- ๐ง prod.logic.yaml๐ข
Descriptionโ
Descriptionโ
Ensure that Azure Network Security Groups are not configured to allow unrestricted inbound access to the PostgreSQL port (5432) from the public internet. Network Security Group configurations should be audited and adjusted to restrict access to this port, permitting inbound traffic only from trusted IP addresses or internal networks.
Rationalโ
Allowing unrestricted access to PostgreSQL on port 5432 increases the vulnerability of the database to a variety of security threats, including exploitation of known vulnerabilities, brute-force attacks, and unauthorized access to sensitive data. As a widely used relational database management system, PostgreSQL is a prime target for attackers. Exposing this service to the public internet without proper access controls can lead to the compromise of critical business data. By restricting access to trusted IP addresses or internal networks, the attack surface is minimized, ensuring that only authorized users and systems can interact with the database.
Impactโ
... see more
Remediationโ
Remediationโ
Modify or Remove Insecure NSG Ruleโ
Review the security rules associated with the relevant Network Security Group (NSG) and determine whether they are required. Take appropriate action based on necessity and scope:
If the rule is not required: Remove the rule entirely.
If the rule is required but overly permissive: Update the rule to narrowly scope access, restricting the source IP range to only what is strictly necessary.
Azure CLIโ
Delete the rule:
az network nsg rule delete \
--resource-group {{resource-group-name}} \
--nsg-name {{nsg-name}} \
--name {{rule-name}}Restrict the rule:
az network nsg rule update \
--resource-group {{resource-group-name}} \
--nsg-name {{nsg-name}} \
--name {{rule-name}} \
--source-address-prefixes {{trusted-cidr}}Replace placeholders with the appropriate values. Use space-separated values for multiple source prefixes or destination ports (e.g.,
--source-address-prefixes "1.2.3.4/32 5.6.7.8/32").... see more
policy.yamlโ
Linked Framework Sectionsโ
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| ๐ผ Cloudaware Framework โ ๐ผ Public and Anonymous Access | 80 | no data |