Default Azure Storage Account Network Access Is Too Permissive
- Query id: d855ced8-6157-448f-9f1d-f05a41d046f7
- Query name: Default Azure Storage Account Network Access Is Too Permissive
- Platform: AzureResourceManager
- Severity: Medium
- Category: Access Control
- URL: Github
Description¶
Make sure that your Azure Storage Account access is limited to those who require it.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"apiVersion": "[variables('storageApiVersion')]",
"dependsOn": [],
"kind": "Storage",
"location": "[variables('computeLocation')]",
"name": "positive1",
"properties": {
"networkAcls": {
"defaultAction": "Allow"
}
},
"sku": {
"name": "[parameters('supportLogStorageAccountType')]"
},
"tags": {},
"type": "Microsoft.Storage/storageAccounts"
}
]
}
Positive test num. 2 - json file
{
"document": [
{
"resources": [
{
"apiVersion": "[variables('storageApiVersion')]",
"dependsOn": [],
"kind": "Storage",
"location": "[variables('computeLocation')]",
"name": "positive2",
"properties": {},
"sku": {
"name": "[parameters('supportLogStorageAccountType')]"
},
"tags": {},
"type": "Microsoft.Storage/storageAccounts"
}
]
}
]
}
Positive test num. 3 - json file
{
"document": [
{
"resources": [
{
"apiVersion": "[variables('storageApiVersion')]",
"dependsOn": [],
"kind": "Storage",
"location": "[variables('computeLocation')]",
"name": "positive3",
"properties": {
"publicNetworkAccess": "Enabled"
},
"sku": {
"name": "[parameters('supportLogStorageAccountType')]"
},
"tags": {},
"type": "Microsoft.Storage/storageAccounts"
}
]
}
]
}
Code samples without security vulnerabilities¶
Negative test num. 1 - json file
{
"document": [
{
"resources": [
{
"apiVersion": "[variables('storageApiVersion')]",
"dependsOn": [],
"kind": "Storage",
"location": "[variables('computeLocation')]",
"name": "negative1",
"properties": {
"publicNetworkAccess": "Disabled"
},
"sku": {
"name": "[parameters('supportLogStorageAccountType')]"
},
"tags": {},
"type": "Microsoft.Storage/storageAccounts"
}
]
}
]
}
Negative test num. 2 - json file
{
"document": [
{
"resources": [
{
"apiVersion": "[variables('storageApiVersion')]",
"dependsOn": [],
"kind": "Storage",
"location": "[variables('computeLocation')]",
"name": "negative2",
"properties": {
"networkAcls": {
"defaultAction": "Deny"
}
},
"sku": {
"name": "[parameters('supportLogStorageAccountType')]"
},
"tags": {},
"type": "Microsoft.Storage/storageAccounts"
}
]
}
]
}