Azure PostgreSQL services access enabled
Description
AlphaSOC detected enabling of Azure services access on a PostgreSQL Flexible
Server via Microsoft.DBforPostgreSQL/flexibleServers/firewallRules/write. The
firewall rule named AllowAllAzureServicesAndResources allows any Azure
service, even from other subscriptions, to connect to the database.
While convenient for some deployment scenarios, this setting significantly increases the attack surface. Any Azure resource, including those controlled by attackers in other Azure subscriptions, can establish connections to the database.
Impact
Enabling broad Azure services access allows database connections from untrusted Azure resources. Attackers who compromise any Azure resource could potentially use it as a pivot point to access the PostgreSQL database, bypassing network isolation controls.
Severity
| Severity | Condition |
|---|---|
Low | Azure services access enabled on PostgreSQL |
Investigation and Remediation
Review Azure Activity logs to identify who enabled the setting and assess whether it is operationally required. Determine which Azure services actually need database access and consider implementing more restrictive firewall rules or private endpoints.
If this configuration is not required, disable it immediately and implement specific firewall rules for services that need access. Consider using Private Link to establish secure, private connectivity from Azure services to the database.
Known False Positives
- Legitimate deployment scenarios requiring Azure service integration