Ensure firewall rules reject internet access for Azure Redis Cache

HIGH

Description

Allowing unrestricted, public access to cloud services could open an application up to external attack. Disallowing this access is typically considered best practice.

Remediation

In Azure Console -

Open the Azure Portal and go to Azure Cache for Redis.
Select the Redis Cache you wish to edit.
Under Settings, select Firewall.
Remove/edit rules where the start or end IP addresses are 0.0.0.0.
Save.

In Terraform -

For each azurerm_redis_cache resource, configure an azurerm_redis_firewall_rule.
Ensure that the azurerm_redis_firewall_rule resource has start_ip and end_ip explicitly defined and neither are 0.0.0.0.

References:
https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/redis_cache
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/redis_firewall_rule

Policy Details

Rule Reference ID: AC_AZURE_0392

CSP: Azure

Remediation Available: Yes

Domain: Infrastructure Security

Resource: azurerm_redis_cache

Resource Category: Database

Resource Type: Redis

Frameworks

GDPR
HIPAA
ISO-27001
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
PCI-DSSv4.0
SOC2