Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access

Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Microsoft services exception is enabled, the following services: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse (when registered in the subscription), are granted access to the storage account.

Risk Level: Low
Cloud Entity: Azure Storage Account
CloudGuard Rule ID: D9.AZU.NET.25
Covered by Spectral: Yes
Category: Storage

GSL LOGIC

StorageAccount should have networkRuleSet.bypass regexMatch /.*AzureServices.*/

REMEDIATION

From Portal

  1. Sign in to Azure Management Console.
  2. Click on the name of the Azure Storage account that you want to reconfigure.
  3. In the navigation panel, under 'Security+networking', select 'Networking'.
  4. On the 'Firewalls and virtual networks' page, Check that you've selected to 'allow access from Selected networks'.
  5. Now under Exceptions, select the 'Allow Azure services on the trusted services list to access this storage account' check box.
  6. Click Save to apply the changes.

From TF
Set the 'bypass' argument under 'network_rules' to 'AzureServices':

resource "azurerm_storage_account" "example" {
	..
	network_rules {
		..
		bypass = ["AzureServices"]
		..
	}
	..
}

From Command Line
Run

az storage account update --resource-group MYRESOURCEGROUP --name MYSTORAGEACCOUNT --bypass AzureServices

References

  1. https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#manage-exceptions
  2. https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-cli#manage-exceptions
  3. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#bypass

Azure Storage Account

An Azure storage account provides a unique namespace to store and access your Azure Storage data objects. All objects in a storage account are billed together as a group. By default, the data in your account is available only to you, the account owner.

Compliance Frameworks

  • Azure CIS Foundations v. 1.1.0
  • Azure CIS Foundations v. 1.2.0
  • Azure CIS Foundations v. 1.3.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CloudGuard Best Practices
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset