Azure Storage Account Default Network Access Is Set To 'Allow'

Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed.

Policy Details

Policy Subtype
Run, Build
Severity
Medium
Template Type
Terraform

Build Rules

Azure Storage Account default network access is set to 'Allow'.
JSON Query:
$.resource.*.azurerm_storage_account size greater than 0 and ( $.resource.*.azurerm_storage_account_network_rules[*].*[*].default_action anyEqual "Allow" or $.resource.*.azurerm_storage_account[*].*[*].network_rules[*].default_action anyEqual "Allow" )
Recommendation:
Recommended solution to ensure that the Storage account default network is not set to Allow.
Ensure that Azure Storage Account default network access is set to Allow. Please make sure if your template have"default_action" set to "Deny" for "network_rules".
For example:
"azurerm_storage_account": [ { "<storage_account_name>": [ { "name": "storageaccountname", "network_rules": [ { "default_action": "Deny" } ], "resource_group_name": "${azurerm_resource_group.example.name}" } ] } ]

Run Rule Recommendation

Azure Portal.
  1. Go to Storage Accounts.
  2. Choose relevant Account.
  3. Under the Settings menu, click Firewalls and virtual networks.
  4. Set Allow access from to 'Selected networks'.
Remediation CLI Command:
az storage account update --name ${resourceName} --resource-group ${resourceGroup} --default-action Deny
CLI Command Description:
This CLI command requires 'Microsoft.Storage/storageAccounts/*' permission. Successful execution will disable default network access rule for Storage Accounts.'.

Compliance

There are 3 standards that are applicable to this policy:
  • CIS v1.1 (Azure)
  • PIPEDA
  • CCPA 2018

Recommended For You