Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled

MEDIUM

Description

Description:

Disable access from Azure services to PostgreSQL Database Server.

Rationale:

If access from Azure services is enabled, the server's firewall will accept connections from all Azure resources, including resources not in your subscription. This is usually not a desired configuration. Instead, set up firewall rules to allow access from specific network ranges or VNET rules to allow access from specific virtual networks.

Remediation

From Azure Portal

Login to Azure Portal using 'https://portal.azure.com'.
Go to 'Azure Database for PostgreSQL servers'.
For each database, click on 'Connection security'.
Under 'Firewall rules', set 'Allow access to Azure services' to 'No'.
Click 'Save'.

From Azure CLI

Use the below command to delete the AllowAllWindowsAzureIps rule for PostgreSQL Database.

az postgres server firewall-rule delete --name AllowAllWindowsAzureIps --resource-group --server-name

Policy Details

Rule Reference ID: AC_AZURE_0564

CSP: Azure

Remediation Available: No

Domain: Data Protection

Resource: azurerm_postgresql_server

Resource Category: Database

Resource Type: PostgreSQL

Frameworks

CIS Azure Foundations v2.0.0 Level 1
CSCv8
NIST-800-53
NIST-CSF
GDPR
HIPAA
NIST-800-171
ISO-27001
CSCv7

Detections

Analytics