PSRule.Rules.Azure

0.2.0

rules/Azure.SQL.Rule.ps1

                                #

# Validation rules for Azure SQL Database

#

# Synopsis: Determine if there is an excessive number of firewall rules

Rule 'Azure.SQL.FirewallRuleCount' -If { ResourceType 'Microsoft.Sql/servers' } -Tag @{ severity = 'Awareness'; category = 'Operations management' } {

    Recommend 'SQL Server has > 10 firewall rules, some rules may not be needed';

    $firewallRules = @($TargetObject.resources | Where-Object -FilterScript {

        $_.Type -eq 'Microsoft.Sql/servers/firewallRules'

    })

    $firewallRules.Length -le 10;

}

# Synopsis: Determine if access from Azure services is required

Rule 'Azure.SQL.AllowAzureAccess' -If { ResourceType 'Microsoft.Sql/servers' } -Tag @{ severity = 'Important'; category = 'Security configuration' } {

    $firewallRules = @($TargetObject.resources | Where-Object -FilterScript {

        $_.Type -eq 'Microsoft.Sql/servers/firewallRules' -and

        (

            $_.ResourceName -eq 'AllowAllWindowsAzureIps' -or

            ($_.properties.StartIpAddress -eq '0.0.0.0' -and $_.properties.EndIpAddress -eq '0.0.0.0')

        )

    })

    $firewallRules.Length -eq 0;

}

# Synopsis: Determine if there is an excessive number of permitted IP addresses

Rule 'Azure.SQL.FirewallIPRange' -If { ResourceType 'Microsoft.Sql/servers' } -Tag @{ severity = 'Important'; category = 'Security configuration' } {

    $summary = GetIPAddressSummary

    $summary.Public -le 10;

}

# Synopsis: Enable threat detection for Azure SQL logical server

Rule 'Azure.SQL.ThreatDetection' -If { ResourceType 'Microsoft.Sql/servers' } -Tag @{ severity = 'Important'; category = 'Security configuration' } {

    $threatPolicy = $TargetObject.resources | Where-Object -FilterScript {

        $_.Type -eq 'Microsoft.Sql/servers/securityAlertPolicies'

    }

    $Null -ne $threatPolicy;

    if ($Null -ne $threatPolicy) {

        $threatPolicy.ThreatDetectionState -eq 0 # 0 = Enabled, 1 = Disabled

    }

}

# Synopsis: Enable auditing for Azure SQL logical server

Rule 'Azure.SQL.Auditing' -If { ResourceType 'Microsoft.Sql/servers' } -Tag @{ severity = 'Important'; category = 'Security configuration' } {

    $auditPolicy = $TargetObject.resources | Where-Object -FilterScript {

        $_.Type -eq 'Microsoft.Sql/servers/auditingSettings'

    }

    $Null -ne $auditPolicy;

    if ($Null -ne $auditPolicy) {

        $auditPolicy.AuditState -eq 0 # 0 = Enabled, 1 = Disabled

    }

}