Azure PostgreSQL Database Server 'Allow access to Azure services' enabled
Description
When 'Allow access to Azure services' settings are enabled, PostgreSQL Database server will accept connections from all Azure resources as well as from other subscription resources. It is recommended to use firewall rules or VNET rules to allow access from specific network ranges or virtual networks.
Code Example
go
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "West Europe"
}
resource "azurerm_sql_server" "sql_server_good" {
name = "mysqlserver"
resource_group_name = azurerm_resource_group.example.name
location = "West US"
version = "12.0"
administrator_login = "4dm1n157r470r"
administrator_login_password = "4-v3ry-53cr37-p455w0rd"
}
resource "azurerm_sql_firewall_rule" "firewall_rule_good" {
name = "FirewallRule1"
resource_group_name = azurerm_resource_group.example.name
server_name = azurerm_sql_server.sql_server_good.name
start_ip_address = "10.0.17.62"
end_ip_address = "10.0.17.62"
}Remediation
- In Azure Console*
. Login to Azure console
. Navigate to 'Azure Database for PostgreSQL servers' dashboard
. Select the reported PostgreSQL server
. Go to 'Connection security' under 'Settings'
. Select 'No' for 'Allow access to Azure services' under 'Firewall rules'
. Click on 'Save' === Fix - Buildtime
Terraform
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0764 |
| Severity | INFO |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV2_AZURE_6 |