Detections
Analytics

Ensure default network access rule is set to deny in Azure Storage Account Network Rules

MEDIUM

Description

Allowing unrestricted, public access to cloud services could open an application up to external attack. Disallowing this access is typically considered best practice. One common way to manage this is by creating a 'deny-by-default' firewall policy which would require a service to be added as an exception to allow access.

Remediation

In Azure Console -

  1. Open the Azure Portal and go to Storage Accounts.
  2. Select the Storage Account that you wish to edit.
  3. Under Security + Networking, select Networking.
  4. Set Public Network Access to disabled.
  5. Alternatively, set the Enabled from selected virtual networks and IP Addresses setting is configured properly.

In Terraform -

  1. In the azurerm_storage_account_network_rules resource, set default_action to Deny.

References:
https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules#default_action

Policy Details

Rule Reference ID: AC_AZURE_0309
CSP: Azure
Remediation Available: Yes
Domain: Infrastructure Security
Resource: azurerm_storage_account_network_rules
Resource Category: Storage
Resource Type: Storage Accounts

Frameworks