Ensure Azure Synapse workspaces have no IP firewall rules attached
Error: Azure Synapse workspaces have IP firewall rules attached
Bridgecrew Policy ID: BC_AZR_NETWORKING_27
Checkov Check ID: CKV2_AZURE_19
Severity: LOW
Azure Synapse workspaces have IP firewall rules attached
Description
IP firewall rules in Azure Synapse are used to control inbound and outbound network traffic to and from your workspace. By attaching IP firewall rules to your workspace, you can control which IP addresses or ranges have access to your workspace and what actions they can perform.
However, attaching IP firewall rules to your workspace can also introduce potential security risks because it allows you to specify specific IP addresses or ranges that have access to your workspace. If an attacker is able to determine the IP address of your workspace, they could potentially gain access to it if the IP address is included in the firewall rules.
Fix - Buildtime
Terraform
- Resource: azurerm_synapse_firewall_rule, azurerm_resource_group, azurerm_synapse_workspace
- Argument: synapse_workspace_id (of azurerm_synapse_firewall_rule )
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "West Europe"
}
resource "azurerm_synapse_workspace" "workspace_good" {
name = "example"
sql_administrator_login = "sqladminuser"
sql_administrator_login_password = "H@Sh1CoR3!"
managed_virtual_network_enabled = true
tags = {
Env = "production"
}
}
resource "azurerm_synapse_firewall_rule" "firewall_rule" {
name = "AllowAll"
synapse_workspace_id = azurerm_synapse_workspace.workspace_bad.id
start_ip_address = "0.0.0.0"
end_ip_address = "255.255.255.255"
}
Updated 9 months ago