Do not put the storage account access as public

ID

azure_access_control_storage_account

Severity

critical

Vendor

Azure

Resource

Network

Tags

reachable

Description

Do not put the storage account access as public. By default, the Firewall and virtual network settings of the storage account is public (network_acls.default_action=Allow).

Learn more about this topic at Azure network acls.

Examples

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: Create an account with kind of FileStorage
      azure_rm_storageaccount:
        resource_group: myResourceGroup
        name: c1h0002
        type: Premium_LRS
        kind: FileStorage
        tags:
          testing: testing

Mitigation / Fix

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: Create an account with kind of FileStorage
      azure_rm_storageaccount:
        resource_group: myResourceGroup
        name: c1h0002
        type: Premium_LRS
        kind: FileStorage
        tags:
          testing: testing
        network_acls:
          bypass: AzureServices,Metrics
          default_action: Deny
          virtual_network_rules:
            - id: /subscriptions/mySubscriptionId/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet
              action: Allow
          ip_rules:
            - value: 1.2.3.4
              action: Allow
            - value: 123.234.123.0/24
              action: Allow