Azure Synapse workspaces have IP firewall rules attached
Description
IP firewall rules in Azure Synapse are used to control inbound and outbound network traffic to and from your workspace. By attaching IP firewall rules to your workspace, you can control which IP addresses or ranges have access to your workspace and what actions they can perform. However, attaching IP firewall rules to your workspace can also introduce potential security risks because it allows you to specify specific IP addresses or ranges that have access to your workspace. If an attacker is able to determine the IP address of your workspace, they could potentially gain access to it if the IP address is included in the firewall rules.
Code Example
go
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "West Europe"
}
resource "azurerm_synapse_workspace" "workspace_good" {
name = "example"
sql_administrator_login = "sqladminuser"
sql_administrator_login_password = "H@Sh1CoR3!"
managed_virtual_network_enabled = true
tags = {
Env = "production"
}
}
resource "azurerm_synapse_firewall_rule" "firewall_rule" {
name = "AllowAll"
synapse_workspace_id = azurerm_synapse_workspace.workspace_bad.id
start_ip_address = "0.0.0.0"
end_ip_address = "255.255.255.255"
}Remediation
Terraform
- Resource: azurerm_synapse_firewall_rule, azurerm_resource_group, azurerm_synapse_workspace
- Arguments: synapse_workspace_id (of azurerm_synapse_firewall_rule )
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0776 |
| Severity | LOW |
| IaC Type | arm |
| Frameworks | Terraform, |
| Checkov ID | CKV2_AZURE_19 |