55 lines
1.9 KiB
YAML
55 lines
1.9 KiB
YAML
id: azure-functionapp-public-exposure
|
|
info:
|
|
name: Exposed Azure Functions
|
|
author: princechaddha
|
|
severity: high
|
|
description: |
|
|
To follow Azure cloud security best practices and prevent public exposure, ensure that the functions managed with Microsoft Azure Function App are not publicly accessible. An Azure function is considered publicly accessible when it is configured to allow inbound access through the default (public) endpoint.
|
|
impact: |
|
|
Allowing public network access to Azure Functions can expose sensitive business logic and data to potential security risks.
|
|
remediation: |
|
|
Configure Azure Functions to restrict access from the public network by setting the 'publicNetworkAccess' to 'Disabled'.
|
|
reference:
|
|
- https://docs.microsoft.com/en-us/azure/azure-functions/functions-networking-options
|
|
tags: cloud,devops,azure,microsoft,functionapp,azure-cloud-config
|
|
|
|
flow: |
|
|
code(1);
|
|
for (let AppData of iterate(template.functionApps)) {
|
|
AppData = JSON.parse(AppData);
|
|
set("name", AppData.name);
|
|
set("resourceGroup", AppData.resourceGroup);
|
|
code(2);
|
|
}
|
|
|
|
self-contained: true
|
|
code:
|
|
- engine:
|
|
- sh
|
|
- bash
|
|
source: |
|
|
az functionapp list --output json --query '[*].{name:name, resourceGroup:resourceGroup}'
|
|
|
|
extractors:
|
|
- type: json
|
|
name: functionApps
|
|
internal: true
|
|
json:
|
|
- '.[]'
|
|
|
|
- engine:
|
|
- sh
|
|
- bash
|
|
source: |
|
|
az functionapp show --name $name --resource-group $resourceGroup --query 'publicNetworkAccess' --output json
|
|
|
|
matchers:
|
|
- type: word
|
|
words:
|
|
- "Enabled"
|
|
|
|
extractors:
|
|
- type: dsl
|
|
dsl:
|
|
- 'name + " is publicly accessible and should restrict network access"'
|
|
# digest: 4a0a00473045022100f092e5de38295307d89891cdc2c693cd32ccad20c1fa88ec3e96519a07e6b47602203afcb47d608e528a93e570d48ea218cfa703155995cdb267c9a7843849f265a2:922c64590222798bb761d5b6d8e72950 |