Default Azure Storage Account Network Access Is Too Permissive

  • Query id: d855ced8-6157-448f-9f1d-f05a41d046f7
  • Query name: Default Azure Storage Account Network Access Is Too Permissive
  • Platform: AzureResourceManager
  • Severity: High
  • Category: Access Control
  • URL: Github

Description

Make sure that your Azure Storage Account access is limited to those who require it.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - bicep file
param supportLogStorageAccountType string
param storageApiVersion string = '2021-06-01'

var computeLocation = 'comloc'

resource positive1 'Microsoft.Storage/storageAccounts@storageApiVersion' = {
  kind: 'Storage'
  location: computeLocation
  name: 'positive1'
  properties: {
    networkAcls: {
      defaultAction: 'Allow'
    }
  }
  sku: {
    name: supportLogStorageAccountType
  }
  tags: {}
  dependsOn: []
}
Positive test num. 2 - json file
{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "resources": [
        {
            "apiVersion": "[variables('storageApiVersion')]",
            "dependsOn": [],
            "kind": "Storage",
            "location": "[variables('computeLocation')]",
            "name": "positive1",
            "properties": {
                "networkAcls": {
                    "defaultAction": "Allow"
                }
            },
            "sku": {
                "name": "[parameters('supportLogStorageAccountType')]"
            },
            "tags": {},
            "type": "Microsoft.Storage/storageAccounts"
        }
    ]
}
Positive test num. 3 - bicep file
param supportLogStorageAccountType string
param storageApiVersion string = '2021-06-01'

var computeLocation = 'comloc'

resource positive2 'Microsoft.Storage/storageAccounts@storageApiVersion' = {
  kind: 'Storage'
  location: computeLocation
  name: 'positive2'
  properties: {}
  sku: {
    name: supportLogStorageAccountType
  }
  tags: {}
  dependsOn: []
}

Positive test num. 4 - json file
{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "resources": [
        {
            "apiVersion": "[variables('storageApiVersion')]",
            "dependsOn": [],
            "kind": "Storage",
            "location": "[variables('computeLocation')]",
            "name": "positive2",
            "properties": {},
            "sku": {
                "name": "[parameters('supportLogStorageAccountType')]"
            },
            "tags": {},
            "type": "Microsoft.Storage/storageAccounts"
        }
    ]
}
Positive test num. 5 - bicep file
param supportLogStorageAccountType string
param storageApiVersion string = '2021-06-01'

var computeLocation = 'comloc'

resource positive3 'Microsoft.Storage/storageAccounts@storageApiVersion' = {
  kind: 'Storage'
  location: computeLocation
  name: 'positive3'
  properties: {
    publicNetworkAccess: 'Enabled'
  }
  sku: {
    name: supportLogStorageAccountType
  }
  tags: {}
  dependsOn: []
}
Positive test num. 6 - json file
{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "resources": [
        {
            "apiVersion": "[variables('storageApiVersion')]",
            "dependsOn": [],
            "kind": "Storage",
            "location": "[variables('computeLocation')]",
            "name": "positive3",
            "properties": {
                "publicNetworkAccess": "Enabled"
            },
            "sku": {
                "name": "[parameters('supportLogStorageAccountType')]"
            },
            "tags": {},
            "type": "Microsoft.Storage/storageAccounts"
        }
    ]
}

Code samples without security vulnerabilities

Negative test num. 1 - bicep file
param supportLogStorageAccountType string
param storageApiVersion string = '2021-06-01'

var computeLocation = 'comloc'

resource negative1 'Microsoft.Storage/storageAccounts@storageApiVersion' = {
  kind: 'Storage'
  location: computeLocation
  name: 'negative1'
  properties: {
    publicNetworkAccess: 'Disabled'
  }
  sku: {
    name: supportLogStorageAccountType
  }
  tags: {}
  dependsOn: []
}
Negative test num. 2 - json file
{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "resources": [
        {
            "apiVersion": "[variables('storageApiVersion')]",
            "dependsOn": [],
            "kind": "Storage",
            "location": "[variables('computeLocation')]",
            "name": "negative1",
            "properties": {
                "publicNetworkAccess": "Disabled"
            },
            "sku": {
                "name": "[parameters('supportLogStorageAccountType')]"
            },
            "tags": {},
            "type": "Microsoft.Storage/storageAccounts"
        }
    ]
}
Negative test num. 3 - bicep file
param supportLogStorageAccountType string

var computeLocation = 'comloc'

resource negative2 'Microsoft.Storage/storageAccounts@2021-06-01' = {
  kind: 'Storage'
  location: computeLocation
  name: 'negative2'
  properties: {
    networkAcls: {
      defaultAction: 'Deny'
    }
  }
  sku: {
    name: supportLogStorageAccountType
  }
  tags: {}
  dependsOn: []
}

Negative test num. 4 - json file
{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "resources": [
        {
            "apiVersion": "[variables('storageApiVersion')]",
            "dependsOn": [],
            "kind": "Storage",
            "location": "[variables('computeLocation')]",
            "name": "negative2",
            "properties": {
                "networkAcls": {
                    "defaultAction": "Deny"
                }
            },
            "sku": {
                "name": "[parameters('supportLogStorageAccountType')]"
            },
            "tags": {},
            "type": "Microsoft.Storage/storageAccounts"
        }
    ]
}