Beta - Recovery Services Vault With Public Network Access

• Query id: d3ba7d62-bd07-4102-88ca-9668e5f08e7d
• Query name: Beta - Recovery Services Vault With Public Network Access
• Platform: Terraform
• Severity: High
• Category: Access Control
• CWE: 732
• Risk score: 6.0
• URL: Github

Description

All 'azurerm_recovery_services_vault' resources should set 'public_network_access_enabled' to false in order to prevent exposure to the internet and reduce the risk of unauthorized access
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file

resource "azurerm_recovery_services_vault" "positive1" {
  name                = "positive1-recovery-vault"
  location            = azurerm_resource_group.positive1.location
  resource_group_name = azurerm_resource_group.positive1.name
  sku                 = "Standard"

  # "public_network_access_enabled" missing - defaults to true
}

resource "azurerm_recovery_services_vault" "positive2" {
  name                = "positive2-recovery-vault"
  location            = azurerm_resource_group.positive2.location
  resource_group_name = azurerm_resource_group.positive2.name
  sku                 = "Standard"

  public_network_access_enabled = true
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file

resource "azurerm_recovery_services_vault" "negative1" {
  name                = "negative1-recovery-vault"
  location            = azurerm_resource_group.negative1.location
  resource_group_name = azurerm_resource_group.negative1.name
  sku                 = "Standard"

  public_network_access_enabled = false
}