Azure Machine learning workspace configured with overly permissive network access
Description
This policy detects whether the Azure Machine Learning workspace is configured with overly permissive network access. Such unrestricted access creates security vulnerabilities. Excessive network access permissions allow individuals or systems to access and potentially manipulate the workspace, allowing malicious actors to exploit these weaknesses to gain unauthorized access potentially leading to data breaches or manipulation of the machine learning process itself. This unauthorized access could compromise models, leading to flawed outputs or biased results. Additionally, sensitive data stored or processed within the workspace might be exfiltrated if network access isn't properly restricted.
Code Example
resource "azurerm_machine_learning_workspace" "workspace" {
...
+ public_network_access_enabled = false
}Remediation
Terraform
- Resource: azurerm_machine_learning_workspace
- Arguments: public_network_access_enabled
Ensure that the Azure Machine Learning workspace does not have unrestricted public network access. To achieve this, set the `public_network_access_enabled` property to false. This will deny public network access to the workspace from outside the virtual network, enhancing the overall security posture.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0806 |
| Severity | HIGH |
| IaC Type | arm |
| Frameworks | Terraform, TerraformPlan, ARM, Bicep |
| Checkov ID | CKV2_AZURE_49 |