Skip to content

feat(file-shares): Add rule to disable public network access (AZR-000542) #3736

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
mathieusouflis wants to merge 1 commit into
base: main
Choose a base branch
from
+401 −0
Draft

feat(file-shares): Add rule to disable public network access (AZR-000542) #3736

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
85 changes: 85 additions & 0 deletions docs/en/rules/Azure.Share.PublicAccess.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
---
reviewed: 2025-11-04
Copy link
Copy Markdown
Collaborator

@BernieWhite BernieWhite Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clear or update the date.

severity: Critical
pillar: Security
category: SE:06 Network controls
resource: File Shares
resourceType: Microsoft.Kusto/clusters
Copy link
Copy Markdown
Collaborator

@BernieWhite BernieWhite Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Update resource type.

online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Share.PublicAccess/
---

# Disable public network access on File Shares clusters

## SYNOPSIS

Azure File Shares (Shares) clusters should have public network access disabled.

## DESCRIPTION

Disabling public network access improves security by ensuring that the cluster isn't exposed on the public internet.
You can control exposure of your clusters by creating private endpoints instead.

## RECOMMENDATION

Consider disabling public network access on Azure File Shares clusters, using private endpoints to control connectivity.

## EXAMPLES

### Configure with Azure template

To deploy File Shares clusters that pass this rule:

- Set the `properties.publicNetworkAccess` property to `Disabled`.

For example:

```json
{
Copy link
Copy Markdown
Collaborator

@BernieWhite BernieWhite Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Update examples for Arm JSON and Bicep. For the resource that is being tested. You can create an example in docs/examples/.

"type": "Microsoft.Kusto/clusters",
"apiVersion": "2024-04-13",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard_D11_v2",
"tier": "Standard"
},
"identity": {
"type": "SystemAssigned"
},
"properties": {
"publicNetworkAccess": "Disabled"
}
}
```

### Configure with Bicep

To deploy File Shares clusters that pass this rule:

- Set the `properties.publicNetworkAccess` property to `Disabled`.

For example:

```bicep
resource adx 'Microsoft.Kusto/clusters@2024-04-13' = {
name: name
location: location
sku: {
name: 'Standard_D11_v2'
tier: 'Standard'
}
identity: {
type: 'SystemAssigned'
}
properties: {
enableDiskEncryption: true
publicNetworkAccess: 'Disabled'
}
}
```

## LINKS

- [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking)
- [Security: Level 4](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level4)
- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.kusto/clusters)
Copy link
Copy Markdown
Collaborator

@BernieWhite BernieWhite Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Link to the resource being tested.

29 changes: 29 additions & 0 deletions src/PSRule.Rules.Azure/rules/Azure.Share.Rule.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
# Copyright (c) Microsoft Corporation.
# Licensed under the MIT License.

#
# Validation rules for FileShares
#

#region Rules

---
# Synopsis: Disable export of artifacts from container registries.
Copy link
Copy Markdown
Collaborator

@BernieWhite BernieWhite Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy from the .md synopsis.

apiVersion: github.com/microsoft/PSRule/v1
kind: Rule
metadata:
name: Azure.Share.PublicAccess
ref: AZR-000538
Copy link
Copy Markdown
Collaborator

@BernieWhite BernieWhite Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use 542 as other ids have open PRs.

tags:
release: preview
ruleSet: 2026_03
Copy link
Copy Markdown
Collaborator

@BernieWhite BernieWhite Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use 2026_06

Azure.WAF/pillar: Security

spec:
type:
- Microsoft.Kusto/clusters
Copy link
Copy Markdown
Collaborator

@BernieWhite BernieWhite Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Update resource type.

condition:
allOf:
- field: properties.publicNetworkAccess
equals: Disabled
#endregion Rules
60 changes: 60 additions & 0 deletions tests/PSRule.Rules.Azure.Tests/Azure.Share.Rule.Tests.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
# Copyright (c) Microsoft Corporation.
# Licensed under the MIT License.

#
# Unit tests for Azure File Shares rules
#

[CmdletBinding()]
param ()

BeforeAll {
# Setup error handling
$ErrorActionPreference = 'Stop';
Set-StrictMode -Version latest;

if ($Env:SYSTEM_DEBUG -eq 'true')
{
$VerbosePreference = 'Continue';
}

# Setup tests paths
$rootPath = $PWD;
Import-Module (Join-Path -Path $rootPath -ChildPath out/modules/PSRule.Rules.Azure) -Force;
$here = (Resolve-Path $PSScriptRoot).Path;
}

Describe 'Azure.Share' -Tag 'Share' {
Context 'Conditions' {
BeforeAll {
$invokeParams = @{
Baseline = 'Azure.All'
Module = 'PSRule.Rules.Azure'
WarningAction = 'Ignore'
ErrorAction = 'Stop'
Outcome = 'All'
}
$dataPath = Join-Path -Path $here -ChildPath 'Resources.Share.json';
$result = Invoke-PSRule @invokeParams -InputPath $dataPath;
}


It 'Azure.Share.PublicAccess' {
$filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.Share.PublicAccess' };

# Fail
$ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' });
$ruleResult | Should -Not -BeNullOrEmpty;
$ruleResult.Length | Should -Be 2;
$ruleResult.TargetName | Should -Be 'cluster-A', 'cluster-B';
Copy link
Copy Markdown
Collaborator

@BernieWhite BernieWhite Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Update to match the names of the file shares you create in the rest resources JSON file.


$ruleResult.Detail.Reason.Path | Should -BeIn 'properties.publicNetworkAccess';

# Pass
$ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' });
$ruleResult | Should -Not -BeNullOrEmpty;
$ruleResult.Length | Should -Be 1;
$ruleResult.TargetName | Should -BeIn 'cluster-C';
Copy link
Copy Markdown
Collaborator

@BernieWhite BernieWhite Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same

}
}
}
Loading