Ensure default network access rule for Storage Accounts is set to deny

Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed.

Risk Level: High
Cloud Entity: Azure Storage Account
CloudGuard Rule ID: D9.TF.AZU.NET.01
Covered by Spectral: No
Category: Storage

GSL LOGIC

azurerm_storage_account should have network_rules.default_action='Deny'

REMEDIATION

From TF
Set the 'default_action' argument under 'network_rules' to 'Deny':

resource "azurerm_storage_account" "example" {
	..
	network_rules {
		..
		default_action= "Deny"
		..
	}
	..
}

References:

  1. https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal
  2. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#default_action

Azure Storage Account

An Azure storage account provides a unique namespace to store and access your Azure Storage data objects. All objects in a storage account are billed together as a group. By default, the data in your account is available only to you, the account owner.

Compliance Frameworks

  • Azure Terraform Ruleset