Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(terraform): check cognitive services restrict outbound network #6919

Merged
merged 6 commits into from
Dec 23, 2024
Merged

feat(terraform): check cognitive services restrict outbound network #6919

merged 6 commits into from
Dec 23, 2024

Conversation

tjwald
Copy link
Contributor

@tjwald tjwald commented Dec 22, 2024
edited by baz-reviewer bot
Loading

User description

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Description

Implemented a check for open ai cognitive services in azure to make sure outbound network is restricted.
Implements Prisma Policy Id :"4c4ae367-8609-4b55-ac11-e9d52849658a"

New/Edited policies (Delete if not relevant)

id = "CKV_AZURE_247"
name = "Ensure that Azure Cognitive Services account hosted with OpenAI is configured with data loss prevention"

  • checks that outbound_network_access_restricted is restricted or the fqdns are restricted.

Description

Check that the cognitive service is either restricted to no access to outbound network, or is restricted to specific fqdns.

Fix

Either set outbound_network_access_restricted = true, or fqdns = [...].

Checklist:

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have added tests that prove my feature, policy, or fix is effective and works
  • New and existing tests pass locally with my changes

Generated description

Below is a concise technical summary of the changes proposed in this PR:

Implements a new check for Azure Cognitive Services accounts hosted with OpenAI to ensure data loss prevention. Adds a new class OpenAICognitiveServicesRestrictOutboundNetwork that checks if the outbound network access is restricted or if specific FQDNs are set. Creates test cases to verify the functionality of the new check, including both passing and failing scenarios.

TopicDetails
Test cases Adds test cases and examples for the new OpenAI Cognitive Services security check
Modified files (2)
  • tests/terraform/checks/resource/azure/test_OpenAICognitiveServicesRestrictedOutboundNetwork.py
  • tests/terraform/checks/resource/azure/example_OpenAICognitiveServicesRestrictOutboundNetwork/main.tf
Latest Contributors(0)
UserCommitDate
New security check Implements a new security check for Azure Cognitive Services OpenAI accounts to ensure data loss prevention
Modified files (1)
  • checkov/terraform/checks/resource/azure/OpenAICognitiveServicesRestrictOutboundNetwork.py
Latest Contributors(0)
UserCommitDate
This pull request is reviewed by Baz. Join @tjwald and the rest of your team on (Baz).

@tjwald tjwald self-assigned this Dec 22, 2024
tsmithv11
tsmithv11 previously requested changes Dec 22, 2024
View reviewed changes
Copy link
Collaborator

@tsmithv11 tsmithv11 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! Small title change suggestion

checkov/terraform/checks/resource/azure/CognitiveServicesRestrictOutboundNetwork.py Outdated Show resolved Hide resolved
checkov/terraform/checks/resource/azure/CognitiveServicesRestrictOutboundNetwork.py Outdated Show resolved Hide resolved
@tjwald tjwald requested a review from tsmithv11 December 23, 2024 09:05
SteveVaknin
SteveVaknin approved these changes Dec 23, 2024
View reviewed changes
Copy link
Contributor

@SteveVaknin SteveVaknin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! 💯

@tjwald tjwald force-pushed the check/coginitive-services-restrict-network-access branch from 34ad3b6 to 6dfc801 Compare December 23, 2024 09:27
@tjwald tjwald dismissed tsmithv11’s stale review December 23, 2024 09:33

fixed all requested changes

@tjwald tjwald merged commit 70e5baa into main Dec 23, 2024
38 checks passed
@tjwald tjwald deleted the check/coginitive-services-restrict-network-access branch December 23, 2024 09:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bo156 bo156 bo156 approved these changes

@SteveVaknin SteveVaknin SteveVaknin approved these changes

@tsmithv11 tsmithv11 Awaiting requested review from tsmithv11

Assignees

@tjwald tjwald

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@tjwald @tsmithv11 @bo156 @SteveVaknin