Public Storage Account

  • Query id: 35e2f133-a395-40de-a79d-b260d973d1bd
  • Query name: Public Storage Account
  • Platform: Ansible
  • Severity: High
  • Category: Access Control
  • URL: Github

Description

Storage Account should not be public to grant the principle of least privileges
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
- name: configure firewall and virtual networks
  azure_rm_storageaccount:
    resource_group: myResourceGroup
    name: clh0002
    type: Standard_RAGRS
    network_acls:
      bypass: AzureServices,Metrics
      default_action: Deny
      ip_rules:
        - value: 0.0.0.0/0
          action: Allow
- name: configure firewall and more virtual networks
  azure_rm_storageaccount:
    resource_group: myResourceGroup
    name: clh0003
    type: Standard_RAGRS
    network_acls:
      bypass: AzureServices,Metrics
      default_action: Allow

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: configure firewall and virtual networks
  azure_rm_storageaccount:
    resource_group: myResourceGroup
    name: clh0002
    type: Standard_RAGRS
    network_acls:
      bypass: AzureServices,Metrics
      default_action: Deny
      ip_rules:
      - value: 1.2.3.4
        action: Allow