Turbot Guardrails Hub 
Hub
  • Mods
  • Policy Packs
  • Docs
  • Home
ModsPolicy PacksDocsHome
Mods
Azure
Loading policies...

Policy: Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.02 - Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)

Configures auditing against a CIS Benchmark item.

Level: 1

Ensure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP).

Azure SQL Server includes a firewall to block access to unauthorized connections. More granular IP addresses can be defined by referencing the range of addresses available from specific datacenters.

By default, for a SQL server, a Firewall exists with StartIp of 0.0.0.0 and EndIP of 0.0.0.0 allowing access to all the Azure services.

Additionally, a custom rule can be set up with StartIp of 0.0.0.0 and EndIP of 255.255.255.255 allowing access from ANY IP over the Internet.

In order to reduce the potential attack surface for a SQL server, firewall rules should be defined with more granular IP addresses by referencing the range of addresses available from specific datacenters.

If Allow Azure services and resources to access this server is 'Checked', this will allow resources outside of the subscription/tenant/organization boundary, within any region of Azure, to effectively bypass the defined SQL Server Network ACL on public endpoint. A malicious attacker can successfully launch a SQL server password bruteforce attack by creating a virtual machine in any Azure subscription/region, from outside of the subscription boundary where the SQL Server is residing

Targets

This policy targets the following resource types:

  • Azure > SQL > Server

Primary Policy

This policy is used with the following primary policy:

  • Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database

Controls

Setting this policy configures this control:

  • Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.02 - Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)

Policy Specification

Schema Type
string
Default
Per Azure > CIS v3.0 > 05 - Database Services
Valid Values [YAML]
  • Per Azure > CIS v3.0 > 05 - Database Services

  • Skip

  • Check: Benchmark

Category

  • CIS > Controls v7 > 14 Controlled Access Based on the Need to Know > 14.06 Protect Information through Access Control Lists

In Your Workspace

  • Policy Settings by Type report

Developers

    Category URI
    • tmod:@turbot/cis#/control/categories/v071406
    • Policy Type URI
    • tmod:@turbot/azure-cisv3-0#/policy/types/r050102
    • GraphQL
    • query policyType(id: "tmod:@turbot/azure-cisv3-0#/policy/types/r050102") { … }
    • query policySettings(filter: "policyTypeId:'tmod:@turbot/azure-cisv3-0#/policy/types/r050102'") { … }
    • query policyValues(filter: "policyTypeId:'tmod:@turbot/azure-cisv3-0#/policy/types/r050102'") { … }
    • CLI
    • Get Policy Type
    • turbot graphql policy-type --id "tmod:@turbot/azure-cisv3-0#/policy/types/r050102"
      • Get Policy Settings
    • turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/azure-cisv3-0#/policy/types/r050102"
Guardrails
Guardrails Hub
  • Hub
  • Docs
  • Blog
  • Changelog
Products
  • GuardrailsGuardrails
  • PipesPipes
  • SteampipeSteampipe
  • PowerpipePowerpipe
  • FlowpipeFlowpipe
  • TailpipeTailpipe
Turbot
  • Home
  • About us
  • We're hiring!
  • Contact us
Community

Our community of practitioners love to discuss cloud governance & security.

Slack logoJoin us on Slack →

System StatusLegalSecurity
Terms of UseSecurityPrivacy
50
Mods
204
Resource Types
3,575
Policies
1,941
Controls
103
Quick Actions
111
IAM