github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/azure/storage/allow_microsoft_service_bypass.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/azure/storage/allow_microsoft_service_bypass.go (about)

     1  package storage
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     6  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     7  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  )
    10  
    11  var CheckAllowMicrosoftServiceBypass = rules.Register(
    12  	scan.Rule{
    13  		AVDID:      "AVD-AZU-0010",
    14  		Provider:   providers.AzureProvider,
    15  		Service:    "storage",
    16  		ShortCode:  "allow-microsoft-service-bypass",
    17  		Summary:    "Trusted Microsoft Services should have bypass access to Storage accounts",
    18  		Impact:     "Trusted Microsoft Services won't be able to access storage account unless rules set to allow",
    19  		Resolution: "Allow Trusted Microsoft Services to bypass",
    20  		Explanation: `Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. 
    21  
    22  To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules`,
    23  		Links: []string{
    24  			"https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security#trusted-microsoft-services",
    25  		},
    26  		Terraform: &scan.EngineMetadata{
    27  			GoodExamples:        terraformAllowMicrosoftServiceBypassGoodExamples,
    28  			BadExamples:         terraformAllowMicrosoftServiceBypassBadExamples,
    29  			Links:               terraformAllowMicrosoftServiceBypassLinks,
    30  			RemediationMarkdown: terraformAllowMicrosoftServiceBypassRemediationMarkdown,
    31  		},
    32  		Severity: severity.High,
    33  	},
    34  	func(s *state.State) (results scan.Results) {
    35  		for _, account := range s.Azure.Storage.Accounts {
    36  			for _, rule := range account.NetworkRules {
    37  				var found bool
    38  				for _, bypass := range rule.Bypass {
    39  					if bypass.EqualTo("AzureServices") {
    40  						found = true
    41  					}
    42  				}
    43  				if !found {
    44  					results.Add(
    45  						"Network rules do not allow bypass for Microsoft Services.",
    46  						&rule,
    47  					)
    48  				} else {
    49  					results.AddPassed(&rule)
    50  				}
    51  
    52  			}
    53  		}
    54  		return
    55  	},
    56  )