Azure Storage Account 'Trusted Microsoft Services' Access Not Enabled

Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Microsoft services exception is enabled, the following services: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse (when registered in the subscription), are granted access to the storage account.

Policy Details

Policy Subtype
Run, Build
Severity
Medium
Template Type
Terraform

Build Rules

Azure Storage Account 'Trusted Microsoft Services' access not enabled.
JSON Query:
$.resource.*.azurerm_storage_account size greater than 0 and ($.resource.*.azurerm_storage_account[*].*[*].network_rules anyNull or $.resource.*.azurerm_storage_account[*].*[*].network_rules[*].bypass anyNull or not ( $.resource.*.azurerm_storage_account[*].*[*].network_rules[*].bypass allEqual "AzureServices" ))
Recommendation:
Recommended solution to ensure that storage account 'Trusted Microsoft Services' access is enabled.
Ensure that Azure Storage Account 'Trusted Microsoft Services' access is enabled. Please make sure the template has "bypass" set as AzureServices under "network_rules".
For example:
"azurerm_storage_account": [ { "<storage_account_name>": [ { "name": "storageaccountname", "network_rules": [ { "bypass": "AzureServices" } ], "resource_group_name": "${azurerm_resource_group.example.name}" } ] } ]

Run Rule Recommendation

Azure Portal.
  1. Go to Storage Accounts.
  2. Choose relevant Account.
  3. Under the Settings menu, click Firewalls and virtual networks.
  4. Ensure that Allow access from to 'Selected networks' is selected.
  5. Under Exceptions make sure that Allow trusted Microsoft services to access this storage account is 'checked'.
  6. Click on 'Save'.
Remediation CLI Command:
az storage account update --name ${resourceName} --resource-group ${resourceGroup} --bypass AzureServices
CLI Command Description:
This CLI command requires 'Microsoft.Storage/storageAccounts/*' permission. Successful execution will enable Azure accounts to bypass 'Trusted Microsoft Services'.

Compliance

There are 4 standards that are applicable to this policy:
  • MITRE ATT&CK [Beta]
  • CIS v1.1 (Azure)
  • PIPEDA
  • CCPA 2018

Recommended For You