turbot/azure_compliance

ad_guest_user_reviewed_monthlyad_manual_controlappservice_authentication_enabledappservice_ftp_deployment_disabledappservice_web_app_incoming_client_cert_onappservice_web_app_latest_http_versionappservice_web_app_latest_tls_versionappservice_web_app_register_with_active_directory_enabledappservice_web_app_use_httpscompute_os_and_data_disk_encrypted_with_cmkcompute_unattached_disk_encrypted_with_cmkcompute_vm_utilizing_managed_diskiam_no_custom_subscription_owner_roles_createdkeyvault_key_expiration_setkeyvault_logging_enabledkeyvault_secret_expiration_setkeyvault_vault_recoverablekubernetes_instance_rbac_enabledmanual_controlmonitor_diagnostic_settings_captures_proper_categoriesmonitor_log_alert_create_policy_assignmentmonitor_log_alert_create_update_nsgmonitor_log_alert_create_update_nsg_rulemonitor_log_alert_create_update_security_solutionmonitor_log_alert_delete_nsgmonitor_log_alert_delete_nsg_rulemonitor_log_alert_delete_policy_assignmentmonitor_log_alert_delete_security_solutionmonitor_log_alert_sql_firewall_rulemonitor_logs_storage_container_encryptes_with_byokmonitor_logs_storage_container_not_public_accessiblemysql_ssl_enablednetwork_security_group_rdp_access_restrictednetwork_security_group_ssh_access_restrictednetwork_security_group_udp_service_restrictednetwork_sg_flowlog_retention_period_greater_than_90network_watcher_enabledpostgres_db_server_connection_throttling_onpostgres_db_server_log_checkpoints_onpostgres_db_server_log_connections_onpostgres_db_server_log_disconnections_onpostgres_db_server_log_retention_days_3postgres_sql_ssl_enabledsecuritycenter_additional_email_configuredsecuritycenter_asc_default_setting_not_disabledsecuritycenter_automatic_provisioning_monitoring_agent_onsecuritycenter_azure_defender_on_for_appservicesecuritycenter_azure_defender_on_for_containerregistrysecuritycenter_azure_defender_on_for_k8ssecuritycenter_azure_defender_on_for_keyvaultsecuritycenter_azure_defender_on_for_serversecuritycenter_azure_defender_on_for_sqldbsecuritycenter_azure_defender_on_for_sqlservervmsecuritycenter_azure_defender_on_for_storagesecuritycenter_mcas_integrationsecuritycenter_notify_alerts_configuredsecuritycenter_security_alerts_to_owner_enabledsecuritycenter_wdatp_integrationsql_database_allow_internet_accesssql_db_active_directory_admin_configuredsql_server_and_databases_va_enabledsql_server_atp_enabledsql_server_auditing_onsql_server_audting_retention_period_90sql_server_tde_protector_cmk_encryptedsql_server_transparent_data_encryption_enabledsql_server_va_setting_periodic_scan_enabledsql_server_va_setting_reports_notify_adminssql_server_va_setting_scan_reports_configuredstorage_account_blob_containers_public_access_privatestorage_account_blob_service_logging_enabledstorage_account_default_network_access_rule_deniedstorage_account_encryption_at_rest_using_cmkstorage_account_queue_services_logging_enabledstorage_account_secure_transfer_required_enabledstorage_account_soft_delete_enabledstorage_account_trusted_microsoft_services_enabled

Query: network_security_group_rdp_access_restricted

Usage

steampipe query azure_compliance.query.network_security_group_rdp_access_restricted

SQL

with network_sg as (
select
distinct name sg_name
from
azure_network_security_group nsg,
jsonb_array_elements(security_rules) sg,
jsonb_array_elements_text(sg -> 'properties' -> 'destinationPortRanges' || (sg -> 'properties' -> 'destinationPortRange') :: jsonb) dport,
jsonb_array_elements_text(sg -> 'properties' -> 'sourceAddressPrefixes' || (sg -> 'properties' -> 'sourceAddressPrefix') :: jsonb) sip
where
sg -> 'properties' ->> 'access' = 'Allow'
and sg -> 'properties' ->> 'direction' = 'Inbound'
and sg -> 'properties' ->> 'protocol' = 'TCP'
and sip in ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '<nw>/0', '/0')
and (
dport in ('3389', '*')
or (
dport like '%-%'
and split_part(dport, '-', 1) :: integer <= 3389
and split_part(dport, '-', 2) :: integer >= 3389
)
)
)
select
-- Required Columns
sg.id resource,
case
when nsg.sg_name is null then 'ok'
else 'alarm'
end as status,
case
when nsg.sg_name is null
then sg.title || ' restricts RDP access from internet.'
else sg.title || ' allows RDP access from internet.'
end as reason,
-- Additional Dimensions
sg.resource_group,
sub.display_name as subscription
from
azure_network_security_group sg
left join network_sg nsg on nsg.sg_name = sg.name
join azure_subscription sub on sub.subscription_id = sg.subscription_id;