Ensure public access is disabled for Azure MySQL Single Server

HIGH

Description

Allowing unrestricted, public access to cloud services could open an application up to external attack. Disallowing this access is typically considered best practice.

Remediation

For MySQL Single Server instances, follow the steps below:

In Azure Console -

Open the Azure Portal and go to MySQL servers.
Choose the SQL server you wish to edit.
Under Settings, select Connection security.
For Deny public network access, set the value to Yes
Select Save.

In Terraform -

In the azurerm_mysql_server resource, set public_network_access_enabled to false.

References:
https://learn.microsoft.com/en-us/azure/mysql/flexible-server/concepts-networking-public
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mysql_server#public_network_access_enabled

Policy Details

Rule Reference ID: AC_AZURE_0308

CSP: Azure

Remediation Available: Yes

Domain: Infrastructure Security

Resource: azurerm_mysql_server

Resource Category: Database

Resource Type: MySQL

Frameworks

GDPR
HIPAA
ISO-27001
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
PCI-DSSv4.0

Detections

Analytics