Ensure Default Network Access Rule for Storage Accounts is Set to Deny

Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed.

Risk Level: High
Cloud Entity: Azure Storage Account
CloudGuard Rule ID: D9.AZU.NET.24
Covered by Spectral: Yes
Category: Storage

GSL LOGIC

StorageAccount should not have publicNetworkAccessAsDisplayedInPortal ='Enabled from all networks'

REMEDIATION

From Portal

  1. Sign in to the Azure portal (https://portal.azure.com/).
  2. Go to the storage account you want to secure.
  3. Locate the Networking settings under Security + networking.
  4. select 'Enabled from selected virtual networks and IP addresses'.
  5. Select Save to apply your changes

From TF

resource "azurerm_storage_account_network_rules" "example" {
	
	storage_account_name = azurerm_storage_account.example.name
	
	default_action             = "Deny"
	
}

From CLI

az storage account update --name StorageAccountName --default-action Deny

References

  1. https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal
  2. https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-cli
  3. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules

Azure Storage Account

An Azure storage account provides a unique namespace to store and access your Azure Storage data objects. All objects in a storage account are billed together as a group. By default, the data in your account is available only to you, the account owner.

Compliance Frameworks

  • Azure CIS Foundations v. 1.1.0
  • Azure CIS Foundations v. 1.2.0
  • Azure CIS Foundations v. 1.3.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CloudGuard Best Practices
  • Azure HITRUST v9.5.0
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset
  • Microsoft Cloud Security Benchmark