Azure SQL Server allow access to any Azure internal resources
Description
This policy pertains to Azure SQL server firewall settings and it checks to ensure the firewall is not set in an overly permissive way. This means that the firewall settings should not allow unrestricted access from any IP address to your SQL server. Allowing such wide-reaching access is bad because it significantly increases the security risk by offering potential hackers numerous opportunities to exploit your system. Instead, access should be limited to specific, trusted IP addresses to maintain a robust security posture.
Code Example
resource "azurerm_sql_firewall_rule" "example" {
name = "firewall_rule"
resource_group_name = azurerm_resource_group.example.name
server_name = azurerm_sql_server.example.name
start_ip_address = "40.112.8.12"
end_ip_address = "40.112.8.12"
}Remediation
Terraform
- Resource: azurerm_sql_firewall_rule
- Arguments: start_ip_address, end_ip_address
To fix this policy issue, you should define firewall rules to restrict source IP ranges of Azure SQL server. The start and end IP address in the firewall rule should not be from 0.0.0.0 to 255.255.255.255 except when the access type is AzureServices.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0791 |
| Severity | INFO |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV2_AZURE_34 |