What is CIS Azure 4.1?

CIS Azure 4.1 (Ensure Azure SQL databases are not publicly accessible) requires: Azure SQL databases should deny public network access. This is a critical-severity control.

How does EchelonGraph detect CIS Azure 4.1 violations?

EchelonGraph automatically detects CIS Azure 4.1 violations using scanner rule AZ-SQL-001. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

What audit questions are asked for CIS Azure 4.1?

Which SQL servers have 'Public network access' enabled? Are there any 'Allow Azure services' firewall rules? Are Private Endpoints configured for all database access?

🔵CIS Azure 4.1Rule: AZ-SQL-001critical

Ensure Azure SQL databases are not publicly accessible

Description

Azure SQL databases should deny public network access.

⚠️ Risk Impact

Public SQL databases are exposed to brute-force, SQL injection, and unauthorized data access from the internet.

🔍 How EchelonGraph Detects This

AZ-SQL-001Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected Azure accounts. Violations are flagged as critical-severity findings with remediation guidance.

🔧 Remediation

Set public network access to Disabled. Use Private Endpoints for connectivity.

💀 Real-World Attack Scenario

An Azure SQL database with public network access enabled had a firewall rule allowing 'Allow Azure services' (effectively all Azure IPs). An attacker launched SQL brute-force attacks from a compromised Azure VM, gained access with a weak sa password, and exfiltrated 800K customer records.

💰 Cost of Non-Compliance

Public database breaches average $4.88M. 'Allow Azure services' firewall rule opens the database to all of Azure (millions of IPs). PCI DSS CDE database with public access: immediate Level 1 re-assessment.

📋 Audit Questions

1.Which SQL servers have 'Public network access' enabled?
2.Are there any 'Allow Azure services' firewall rules?
3.Are Private Endpoints configured for all database access?

🎯 MITRE ATT&CK Mapping

T1190 — Exploit Public-Facing ApplicationT1110 — Brute Force

⚡ Common Pitfalls

⛔'Allow Azure services' checkbox seems safe but allows all Azure IPs globally
⛔Using IP-based firewall rules instead of Private Endpoints
⛔Enabling public access for Azure Data Factory connectivity (use Managed VNet instead)

📈 Business Value

Private Endpoint-only Azure SQL access eliminates internet-facing database exposure. It provides the highest level of database security with seamless VNet integration.

⏱️ Effort Estimate

Manual

2-4 hours per server to configure Private Endpoints

With EchelonGraph

EchelonGraph detects publicly accessible Azure SQL databases in real-time

🔗 Cross-Framework References

SOC2-CC6.6ISO27001-A.13.1.3PCI-1.3.6

Automate CIS Azure 4.1 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →