Default Azure Storage Account Network Access Is Too Permissive

  • Query id: d855ced8-6157-448f-9f1d-f05a41d046f7
  • Query name: Default Azure Storage Account Network Access Is Too Permissive
  • Platform: AzureResourceManager
  • Severity: Medium
  • Category: Access Control
  • URL: Github

Description

Make sure that your Azure Storage Account access is limited to those who require it.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - json file
{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "resources": [
        {
            "apiVersion": "[variables('storageApiVersion')]",
            "dependsOn": [],
            "kind": "Storage",
            "location": "[variables('computeLocation')]",
            "name": "positive1",
            "properties": {
                "networkAcls": {
                    "defaultAction": "Allow"
                }
            },
            "sku": {
                "name": "[parameters('supportLogStorageAccountType')]"
            },
            "tags": {},
            "type": "Microsoft.Storage/storageAccounts"
        }
    ]
}
Positive test num. 2 - json file
{
    "document": [
        {
            "resources": [
                {
                    "apiVersion": "[variables('storageApiVersion')]",
                    "dependsOn": [],
                    "kind": "Storage",
                    "location": "[variables('computeLocation')]",
                    "name": "positive2",
                    "properties": {},
                    "sku": {
                        "name": "[parameters('supportLogStorageAccountType')]"
                    },
                    "tags": {},
                    "type": "Microsoft.Storage/storageAccounts"
                }
            ]
        }
    ]
}
Positive test num. 3 - json file
{
    "document": [
        {
            "resources": [
                {
                    "apiVersion": "[variables('storageApiVersion')]",
                    "dependsOn": [],
                    "kind": "Storage",
                    "location": "[variables('computeLocation')]",
                    "name": "positive3",
                    "properties": {
                        "publicNetworkAccess": "Enabled"
                    },
                    "sku": {
                        "name": "[parameters('supportLogStorageAccountType')]"
                    },
                    "tags": {},
                    "type": "Microsoft.Storage/storageAccounts"
                }
            ]
        }
    ]
}

Code samples without security vulnerabilities

Negative test num. 1 - json file
{
    "document": [
        {
            "resources": [
                {
                    "apiVersion": "[variables('storageApiVersion')]",
                    "dependsOn": [],
                    "kind": "Storage",
                    "location": "[variables('computeLocation')]",
                    "name": "negative1",
                    "properties": {
                        "publicNetworkAccess": "Disabled"
                    },
                    "sku": {
                        "name": "[parameters('supportLogStorageAccountType')]"
                    },
                    "tags": {},
                    "type": "Microsoft.Storage/storageAccounts"
                }
            ]
        }
    ]
}
Negative test num. 2 - json file
{
    "document": [
        {
            "resources": [
                {
                    "apiVersion": "[variables('storageApiVersion')]",
                    "dependsOn": [],
                    "kind": "Storage",
                    "location": "[variables('computeLocation')]",
                    "name": "negative2",
                    "properties": {
                        "networkAcls": {
                            "defaultAction": "Deny"
                        }
                    },
                    "sku": {
                        "name": "[parameters('supportLogStorageAccountType')]"
                    },
                    "tags": {},
                    "type": "Microsoft.Storage/storageAccounts"
                }
            ]
        }
    ]
}