Trusted Microsoft Services should be enabled for Storage Account access

ID

azure_bypass_storage_account

Severity

high

Vendor

Azure

Resource

Network

Tags

reachable

Description

Trusted Microsoft services should be enabled for Storage Account access. You can use network_acls.bypass to configure the trusted Microsoft services.

Learn more about this topic at Azure Storage Account configuration

Examples

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: configure firewall and virtual networks
      azure_rm_storageaccount:
        resource_group: myResourceGroup
        name: clh0002
        type: Standard_RAGRS
        network_acls:
          bypass: ""
          default_action: Deny
          virtual_network_rules:
            - id: /subscriptions/mySubscriptionId/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet
              action: Allow
          ip_rules:
            - value: 1.2.3.4
              action: Allow
            - value: 123.234.123.0/24
              action: Allow

Mitigation / Fix

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: configure firewall and virtual networks
      azure_rm_storageaccount:
        resource_group: myResourceGroup
        name: clh0002
        type: Standard_RAGRS
        network_acls:
          bypass: AzureServices,Metrics
          default_action: Deny
          virtual_network_rules:
            - id: /subscriptions/mySubscriptionId/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet
              action: Allow
          ip_rules:
            - value: 1.2.3.4
              action: Allow
            - value: 123.234.123.0/24
              action: Allow