Default Azure Storage Account Network Access Is Too Permissive

  • Query id: ca4df748-613a-4fbf-9c76-f02cbd580307
  • Query name: Default Azure Storage Account Network Access Is Too Permissive
  • Platform: Ansible
  • Severity: Medium
  • Category: Access Control
  • URL: Github

Description

Make sure that your Azure Storage Account access is limited to those who require it.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
---
- name: create an account
  azure.azcollection.azure_rm_storageaccount:
    resource_group: myResourceGroup
    name: clh0002
    type: Standard_RAGRS
    tags:
      testing: testing
      delete: on-exit
    public_network_access: Enabled
Positive test num. 2 - yaml file
---
- name: create an account
  azure.azcollection.azure_rm_storageaccount:
    resource_group: myResourceGroup
    name: clh0002
    type: Standard_RAGRS
    tags:
      testing: testing
      delete: on-exit
Positive test num. 3 - yaml file
---
- name: create an account
  azure.azcollection.azure_rm_storageaccount:
    resource_group: myResourceGroup
    name: clh0002
    type: Standard_RAGRS
    tags:
      testing: testing
      delete: on-exit
    network_acls:
      default_action: Allow

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
---
- name: create an account
  azure.azcollection.azure_rm_storageaccount:
    resource_group: myResourceGroup
    name: clh0002
    type: Standard_RAGRS
    tags:
      testing: testing
      delete: on-exit
    network_acls:
      default_action: Deny
Negative test num. 2 - yaml file
---
- name: create an account
  azure.azcollection.azure_rm_storageaccount:
    resource_group: myResourceGroup
    name: clh0002
    type: Standard_RAGRS
    tags:
      testing: testing
      delete: on-exit
    public_network_access: Disabled