Public Storage Account
- Query id: 17f75827-0684-48f4-8747-61129c7e4198
- Query name: Public Storage Account
- Platform: Terraform
- Severity: High
- Category: Access Control
- CWE: Ongoing
- URL: Github
Description¶
Storage Account should not be public to grant the principle of least privileges
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "azurerm_storage_account" "positive1" {
name = "storageaccountname"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "LRS"
network_rules {
default_action = "Deny"
ip_rules = ["0.0.0.0/0"]
virtual_network_subnet_ids = [azurerm_subnet.example.id]
}
tags = {
environment = "staging"
}
}
resource "azurerm_storage_account" "positive2" {
name = "storageaccountname"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "LRS"
network_rules {
default_action = "Allow"
virtual_network_subnet_ids = [azurerm_subnet.example.id]
}
tags = {
environment = "staging"
}
}
resource "azurerm_storage_account_network_rules" "positive3" {
resource_group_name = azurerm_resource_group.test.name
storage_account_name = azurerm_storage_account.test.name
default_action = "Allow"
ip_rules = ["0.0.0.0/0"]
virtual_network_subnet_ids = [azurerm_subnet.test.id]
bypass = ["Metrics"]
}
resource "azurerm_storage_account_network_rules" "positive4" {
resource_group_name = azurerm_resource_group.test.name
storage_account_name = azurerm_storage_account.test.name
default_action = "Allow"
virtual_network_subnet_ids = [azurerm_subnet.test.id]
bypass = ["Metrics"]
}
Positive test num. 2 - tf file
resource "azurerm_storage_account" "positive5" {
name = "storageaccountname"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "GRS"
allow_blob_public_access = true
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "azurerm_storage_account" "negative1" {
name = "storageaccountname"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "LRS"
network_rules {
default_action = "Deny"
ip_rules = ["100.0.0.1"]
virtual_network_subnet_ids = [azurerm_subnet.example.id]
}
tags = {
environment = "staging"
}
}
resource "azurerm_storage_account_network_rules" "negative2" {
resource_group_name = azurerm_resource_group.test.name
storage_account_name = azurerm_storage_account.test.name
default_action = "Allow"
ip_rules = ["127.0.0.1"]
virtual_network_subnet_ids = [azurerm_subnet.test.id]
bypass = ["Metrics"]
}
Negative test num. 2 - tf file
resource "azurerm_storage_account" "negative5" {
name = "storageaccountname"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "GRS"
allow_blob_public_access = false
}