Do not put the storage account access as public

ID

azure_access_control_storage_account

Severity

critical

Vendor

Azure

Resource

Network

Tags

asvs50-v13.1.1, reachable

Description

Do not put the storage account access as public. By default, the Firewall and virtual network settings of the storage account is public (network_acls.default_action=Allow).

Learn more about this topic at Azure network acls.

Examples

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: Create an account with kind of FileStorage
      azure_rm_storageaccount:
        resource_group: myResourceGroup
        name: c1h0002
        type: Premium_LRS
        kind: FileStorage
        tags:
          testing: testing

Mitigation / Fix

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: Create an account with kind of FileStorage
      azure_rm_storageaccount:
        resource_group: myResourceGroup
        name: c1h0002
        type: Premium_LRS
        kind: FileStorage
        tags:
          testing: testing
        network_acls:
          bypass: AzureServices,Metrics
          default_action: Deny
          virtual_network_rules:
            - id: /subscriptions/mySubscriptionId/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet
              action: Allow
          ip_rules:
            - value: 1.2.3.4
              action: Allow
            - value: 123.234.123.0/24
              action: Allow