Trusted Microsoft Services Not Enabled
- Query id: 1bc398a8-d274-47de-a4c8-6ac867b353de
- Query name: Trusted Microsoft Services Not Enabled
- Platform: Ansible
- Severity: High
- Category: Networking and Firewall
- URL: Github
Description¶
Trusted Microsoft Services should be enabled for Storage Account access
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
- name: configure firewall and virtual networks
azure_rm_storageaccount:
resource_group: myResourceGroup
name: clh0002
type: Standard_RAGRS
network_acls:
bypass: Metrics
default_action: Deny
virtual_network_rules:
- id: /subscriptions/mySubscriptionId/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet
action: Allow
ip_rules:
- value: 1.2.3.4
action: Allow
- value: 123.234.123.0/24
action: Allow
- name: configure firewall and virtual networks2
azure_rm_storageaccount:
resource_group: myResourceGroup
name: clh0003
type: Standard_RAGRS
network_acls:
default_action: Deny
bypass: Metrics,Logging
virtual_network_rules:
- id: /subscriptions/mySubscriptionId/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet
action: Allow
ip_rules:
- value: 1.2.3.4
action: Allow
- value: 123.234.123.0/24
action: Allow
- name: configure firewall and virtual networks3
azure_rm_storageaccount:
resource_group: myResourceGroup
name: clh0004
type: Standard_RAGRS
network_acls:
default_action: Deny
bypass: ""
virtual_network_rules:
- id: /subscriptions/mySubscriptionId/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet
action: Allow
ip_rules:
- value: 1.2.3.4
action: Allow
- value: 123.234.123.0/24
action: Allow
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
- name: configure firewall and virtual networks
azure_rm_storageaccount:
resource_group: myResourceGroup
name: clh0002
type: Standard_RAGRS
network_acls:
bypass: AzureServices,Metrics
default_action: Deny
virtual_network_rules:
- id: /subscriptions/mySubscriptionId/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet
action: Allow
ip_rules:
- value: 1.2.3.4
action: Allow
- value: 123.234.123.0/24
action: Allow
- name: configure firewall and virtual networks2
azure_rm_storageaccount:
resource_group: myResourceGroup
name: clh0003
type: Standard_RAGRS
network_acls:
default_action: Deny
virtual_network_rules:
- id: /subscriptions/mySubscriptionId/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet
action: Allow
ip_rules:
- value: 1.2.3.4
action: Allow
- value: 123.234.123.0/24
action: Allow
- name: configure firewall and virtual networks3
azure_rm_storageaccount:
resource_group: myResourceGroup
name: clh0004
type: Standard_RAGRS
network_acls:
default_action: Deny
bypass: AzureServices
virtual_network_rules:
- id: /subscriptions/mySubscriptionId/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet
action: Allow
ip_rules:
- value: 1.2.3.4
action: Allow
- value: 123.234.123.0/24
action: Allow