Redis entirely accessible

이 제품은 선택한 Datadog 사이트에서 지원되지 않습니다. ().
이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

Id: 0d0c12b9-edce-4510-9065-13f6a758750c

Cloud Provider: Azure

Platform: Ansible

Severity: Critical

Category: Networking and Firewall

Learn More

Description

Allowing a Redis cache firewall rule to use 0.0.0.0 for both start and end addresses grants unrestricted internet access to the cache, exposing it to unauthorized access, data exposure, and potential remote exploitation.

For Ansible tasks using azure.azcollection.azure_rm_rediscachefirewallrule or azure_rm_rediscachefirewallrule, the start_ip_address and end_ip_address properties must be defined and must not be set to "0.0.0.0". Specify a limited IP range or a single trusted IP address (set both start and end to the same IP for a single host). Resources where both start_ip_address and end_ip_address equal "0.0.0.0" are flagged. Restrict access to known management IPs, use VNet integration, or Azure service endpoints to avoid exposing Redis to the public internet.

Secure example limiting access to a single admin IP:

- name: Allow Redis access from admin IP
  azure.azcollection.azure_rm_rediscachefirewallrule:
    resource_group: my-resource-group
    name: my-redis-cache
    start_ip_address: 203.0.113.5
    end_ip_address: 203.0.113.5

Compliant Code Examples

- name: Create a Firewall rule for Azure Cache for Redis
  azure_rm_rediscachefirewallrule:
    resource_group: myResourceGroup
    cache_name: myRedisCache
    name: myRule
    start_ip_address: 192.168.1.1
    end_ip_address: 192.168.1.4

Non-Compliant Code Examples

---
- name: Create a Firewall rule for Azure Cache for Redis
  azure_rm_rediscachefirewallrule:
      resource_group: myResourceGroup
      cache_name: myRedisCache
      name: myRule
      start_ip_address: 0.0.0.0
      end_ip_address: 0.0.0.0