From 34217492d0e65f6f0093863bda2c2171ff3f04fa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rub=C3=A9n=20De=20la=20Torre=20Vico?= Date: Mon, 19 Jan 2026 16:57:22 +0100 Subject: [PATCH] chore(azure): enhance metadata for `aisearch` service (#9087) Co-authored-by: Daniel Barranquero --- prowler/CHANGELOG.md | 1 + ...vice_not_publicly_accessible.metadata.json | 28 +++++++++++-------- 2 files changed, 18 insertions(+), 11 deletions(-) diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md index 6ee3357e23..f787d612ee 100644 --- a/prowler/CHANGELOG.md +++ b/prowler/CHANGELOG.md @@ -54,6 +54,7 @@ All notable changes to the **Prowler SDK** are documented in this file. - Enhance `user_registration_details` perfomance and user `mfa` evaluation [(#9236)](https://github.com/prowler-cloud/prowler/pull/9236) - Update AWS Cognito service metadata to new format [(#8853)](https://github.com/prowler-cloud/prowler/pull/8853) - Update AWS EC2 service metadata to new format [(#9549)](https://github.com/prowler-cloud/prowler/pull/9549) +- Update Azure AI Search service metadata to new format [(#9087)](https://github.com/prowler-cloud/prowler/pull/9087) ### Security - `pyasn1` to v0.6.2 to address [CVE-2026-23490](https://nvd.nist.gov/vuln/detail/CVE-2026-23490) diff --git a/prowler/providers/azure/services/aisearch/aisearch_service_not_publicly_accessible/aisearch_service_not_publicly_accessible.metadata.json b/prowler/providers/azure/services/aisearch/aisearch_service_not_publicly_accessible/aisearch_service_not_publicly_accessible.metadata.json index d84af0afdf..df372b54e5 100644 --- a/prowler/providers/azure/services/aisearch/aisearch_service_not_publicly_accessible/aisearch_service_not_publicly_accessible.metadata.json +++ b/prowler/providers/azure/services/aisearch/aisearch_service_not_publicly_accessible/aisearch_service_not_publicly_accessible.metadata.json @@ -1,30 +1,36 @@ { "Provider": "azure", "CheckID": "aisearch_service_not_publicly_accessible", - "CheckTitle": "Restrict public network access to the AI Search Service", + "CheckTitle": "AI Search service has public network access disabled", "CheckType": [], "ServiceName": "aisearch", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "AzureSearchService", + "ResourceType": "microsoft.search/searchservices", "ResourceGroup": "database", - "Description": "Ensure that public network access to the Search Service is restricted.", - "Risk": "Public accessibility exposes the Search Service to potential attacks, unauthorized usage, and data breaches. Restricting access minimizes the surface area for attacks and ensures that only authorized networks can access the search service.", - "RelatedUrl": "https://learn.microsoft.com/en-us/azure/search/service-configure-firewall#configure-network-access-in-azure-portal", + "Description": "**Azure AI Search service** limits its data-plane endpoint by disabling **public network access**. This evaluation checks whether the service only permits connections via **private endpoints** or narrowly scoped, explicitly allowed sources.", + "Risk": "Internet-reachable search endpoints impact CIA:\n- Confidentiality: unauthorized queries reveal indexed data/metadata\n- Integrity: stolen admin/query keys allow index changes or deletions\n- Availability: abuse and scanning drive throttling and outages", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/azure-cognitive-search-security-baseline", + "https://www.azadvertizer.net/azpolicyadvertizer/9cee519f-d9c1-4fd9-9f79-24ec3449ed30.html", + "https://learn.microsoft.com/en-us/azure/search/service-configure-firewall#configure-network-access-in-azure-portal" + ], "Remediation": { "Code": { - "CLI": "az search service update --resource-group --name --public-access disabled", - "NativeIaC": "", - "Other": "", - "Terraform": "" + "CLI": "az search service update --name --resource-group --public-access disabled", + "NativeIaC": "```bicep\n// Disable public network access for an Azure AI Search service\nresource search 'Microsoft.Search/searchServices@2023-11-01' = {\n name: ''\n location: ''\n sku: { name: 'basic' }\n properties: {\n publicNetworkAccess: 'disabled' // CRITICAL: Disables public access so the service is not reachable from the internet\n }\n}\n```", + "Other": "1. In the Azure portal, open your AI Search service\n2. Go to Settings > Networking\n3. Under Public network access, select Disabled\n4. Click Save\n5. Wait a few minutes and re-run the check", + "Terraform": "```hcl\n# Disable public network access for Azure AI Search\nresource \"azurerm_search_service\" \"\" {\n name = \"\"\n resource_group_name = \"\"\n location = \"\"\n sku = \"basic\"\n\n public_network_access_enabled = false # CRITICAL: Disables public access to pass the check\n}\n```" }, "Recommendation": { - "Text": "Ensure that the necessary virtual network configurations or IP rules are in place to allow access from required services once public access is restricted. Review the network access settings regularly to maintain a secure environment. To restrict public network access to your Search Service: 1. Navigate to your Search Service y in the Azure Portal. 2. Under 'Settings'->'Networking', configure the 'Public network access' settings to 'Disabled'. 3. Set up virtual network service endpoints or private endpoints as needed for secure access. 4. Review and adjust IP access rules as necessary.", - "Url": "https://learn.microsoft.com/en-us/azure/search/service-configure-firewall#configure-network-access-in-azure-portal" + "Text": "Set `Public network access: Disabled`. Prefer **Private Link** and restrict any residual exposure to specific sources only. Use **least privilege** with Microsoft Entra ID RBAC instead of keys. Apply **defense in depth** with IP rules/trusted services, enable logs, and review access lists regularly.", + "Url": "https://hub.prowler.com/check/aisearch_service_not_publicly_accessible" } }, "Categories": [ + "internet-exposed", "gen-ai" ], "DependsOn": [],