Trusted Microsoft Services Not Enabled
- Query id: 5400f379-a347-4bdd-a032-446465fdcc6f
- Query name: Trusted Microsoft Services Not Enabled
- Platform: Terraform
- Severity: High
- Category: Networking and Firewall
- URL: Github
Description¶
Trusted Microsoft Services should be enabled for Storage Account access
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "azurerm_storage_account_network_rules" "positive1" {
resource_group_name = azurerm_resource_group.test.name
storage_account_name = azurerm_storage_account.test.name
default_action = "Allow"
ip_rules = ["127.0.0.1"]
virtual_network_subnet_ids = [azurerm_subnet.test.id]
bypass = ["Metrics"]
}
resource "azurerm_storage_account" "positive2" {
name = "storageaccountname"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "LRS"
network_rules {
default_action = "Deny"
bypass = ["None"]
ip_rules = ["100.0.0.1"]
virtual_network_subnet_ids = [azurerm_subnet.example.id]
}
tags = {
environment = "staging"
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "azurerm_storage_account" "negative1" {
name = "storageaccountname"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "LRS"
network_rules {
default_action = "Deny"
bypass = ["AzureServices"]
ip_rules = ["100.0.0.1"]
virtual_network_subnet_ids = [azurerm_subnet.example.id]
}
tags = {
environment = "staging"
}
}
resource "azurerm_storage_account_network_rules" "negative2" {
resource_group_name = azurerm_resource_group.test.name
storage_account_name = azurerm_storage_account.test.name
default_action = "Allow"
ip_rules = ["127.0.0.1"]
virtual_network_subnet_ids = [azurerm_subnet.test.id]
bypass = ["Metrics", "AzureServices"]
}