Steampipe mods are now Powerpipe →
Powerpipe Hub 
Hub
Mods
turbot/azure_compliance
Overview
9Dashboards
1129Controls
407Queries
2Variables
GitHub

Query: network_security_group_outbound_access_restricted

Usage

powerpipe query azure_compliance.query.network_security_group_outbound_access_restricted

Steampipe Tables

azure_network_security_group
azure_subscription
Azure plugin

SQL

with unrestricted_outbound as (
  select
    distinct name sg_name
  from
    azure_network_security_group nsg,
    jsonb_array_elements(security_rules || default_security_rules) sg,
    jsonb_array_elements_text(
      case
        when jsonb_array_length(sg -> 'properties' -> 'destinationPortRanges') > 0 then (sg -> 'properties' -> 'destinationPortRanges')
        else jsonb_build_array(sg -> 'properties' -> 'destinationPortRange')
      end
    ) as dport,
    jsonb_array_elements_text(
      case
        when jsonb_array_length(sg -> 'properties' -> 'sourceAddressPrefixes') > 0 then (sg -> 'properties' -> 'sourceAddressPrefixes')
        else jsonb_build_array(sg -> 'properties' -> 'sourceAddressPrefix')
      end
    ) as sip
  where
    sg -> 'properties' ->> 'access' = 'Allow'
    and sg -> 'properties' ->> 'direction' = 'Outbound'
    and sip in (
      '*',
      '0.0.0.0',
      '0.0.0.0/0',
      'Internet',
      'any',
      '<nw>/0',
      '/0'
    )
    and dport = '*'
)
select
  sg.id resource,
  case
    when nsg.sg_name is null then 'ok'
    else 'alarm'
  end as status,
  case
    when nsg.sg_name is null then sg.title || ' restricts outbound access from internet.'
    else sg.title || ' allows outbound access from internet.'
  end as reason,
  sg.resource_group as resource_group,
  sub.display_name as subscription
from
  azure_network_security_group sg
  left join unrestricted_outbound nsg on nsg.sg_name = sg.name
  join azure_subscription sub on sub.subscription_id = sg.subscription_id;

Controls

The query is being used by the following controls: