Objective
Add a new scanner rule to detect Azure SQL Servers where the firewall rule "Allow access to Azure services" is enabled, exposing the database to all Azure-hosted resources.
Background
Enabling "Allow access to Azure services" opens the SQL Server firewall to any resource hosted on Azure — including resources from other tenants and customers. This is a broad and often misunderstood setting that significantly increases the attack surface.
Real-World Breach Scenario
In multiple Azure data exposure incidents, attackers spun up Azure VMs in their own subscriptions and connected directly to victim SQL Servers that had this setting enabled. The firewall rule treated all Azure IPs as trusted regardless of tenant.
Compliance Mapping
- CIS Azure Benchmark: 6.3
- NIST CSF: PR.AC-3
- ISO 27001: A.13.1.3
- SOC 2: CC6.6
Deliverables
Severity
HIGH
Category
Database
Objective
Add a new scanner rule to detect Azure SQL Servers where the firewall rule "Allow access to Azure services" is enabled, exposing the database to all Azure-hosted resources.
Background
Enabling "Allow access to Azure services" opens the SQL Server firewall to any resource hosted on Azure — including resources from other tenants and customers. This is a broad and often misunderstood setting that significantly increases the attack surface.
Real-World Breach Scenario
In multiple Azure data exposure incidents, attackers spun up Azure VMs in their own subscriptions and connected directly to victim SQL Servers that had this setting enabled. The firewall rule treated all Azure IPs as trusted regardless of tenant.
Compliance Mapping
Deliverables
scanner/rules/az_db_004.py— scan() function using Azure SDKplaybooks/cli/fix_az_db_004.sh— disable allow all Azure services firewall rulecompliance/frameworks/cis_azure_benchmark.json— add AZ-DB-004 entrycompliance/frameworks/nist_csf.json— add AZ-DB-004 entrycompliance/frameworks/iso27001.json— add AZ-DB-004 entrycompliance/frameworks/soc2.json— add AZ-DB-004 entrySeverity
HIGH
Category
Database