Azure PostgreSQL database flexible server configured with overly permissive network access
Description
This policy is verifying that Azure PostgreSQL Flexible server is not set up with excessively permissive network access. The policy is important because overly permissive network access can potentially expose the database server to a wider range of threats. It offers an increased attack surface for unauthorized individuals or programs to exploit. If network access isn't restricted, it can lead to data breaches or unauthorized alterations to the database, compromising the privacy, security and integrity of the data hosted on the server. Hence, it is recommended to provide only necessary access permissions to maintain the lowest level of risk and exposure.
Code Example
resource "azurerm_postgresql_flexible_server_firewall_rule" "example" {
name = "example-firewall-rule"
resource_group_name = azurerm_resource_group.example.name
server_name = azurerm_postgresql_flexible_server.example.name
+ start_ip_address = "10.0.0.4" // Specific IP or range, not 0.0.0.0
+ end_ip_address = "10.0.0.20" // Specific IP or range, not 255.255.255.255
}Remediation
Terraform
- Resource: azurerm_postgresql_flexible_server_firewall_rule
- Arguments: start_ip_address, end_ip_address
Your Terraform configuration should define azurerm_postgresql_flexible_server_firewall_rule resources with start_ip_address and end_ip_address values that do not allow access from any IP address (0.0.0.0 to 255.255.255.255). Here's how you might configure it:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0783 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV2_AZURE_26 |