Ensure that Azure Cognitive Services account hosted with OpenAI is configured with data loss prevention
Description
This policy checks if Azure Cognitive Services accounts hosted with OpenAI have restricted outbound network access and specified FQDNs. Restricting outbound network access is crucial to prevent unauthorized data exfiltration and minimize the attack surface. By ensuring that only specific FQDNs are allowed, the risk of data breaches can be significantly reduced. This check is essential for maintaining the security and integrity of sensitive data processed by Azure Cognitive Services.
Code Example
terraform
resource "azurerm_cognitive_account" "example" {
name = "example-account"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
kind = "OpenAI"
outbound_network_access_restricted = true
fqdns = ["https://example.com"]
}Remediation
To fix this issue, ensure that the 'outbound_network_access_restricted' property is set to true and provide a list of allowed FQDNs for the Azure Cognitive Services account.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0754 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | azurerm_cognitive_account |
| Checkov ID | CKV_AZURE_247 |