Default Azure Storage Account Network Access Is Too Permissive
- Query id: d855ced8-6157-448f-9f1d-f05a41d046f7
- Query name: Default Azure Storage Account Network Access Is Too Permissive
- Platform: AzureResourceManager
- Severity: High
- Category: Access Control
- CWE: 284
- URL: Github
Description¶
Make sure that your Azure Storage Account access is limited to those who require it.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - bicep file
param supportLogStorageAccountType string
param storageApiVersion string = '2021-06-01'
var computeLocation = 'comloc'
resource positive1 'Microsoft.Storage/storageAccounts@storageApiVersion' = {
kind: 'Storage'
location: computeLocation
name: 'positive1'
properties: {
networkAcls: {
defaultAction: 'Allow'
}
}
sku: {
name: supportLogStorageAccountType
}
tags: {}
dependsOn: []
}
Positive test num. 2 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"apiVersion": "[variables('storageApiVersion')]",
"dependsOn": [],
"kind": "Storage",
"location": "[variables('computeLocation')]",
"name": "positive1",
"properties": {
"networkAcls": {
"defaultAction": "Allow"
}
},
"sku": {
"name": "[parameters('supportLogStorageAccountType')]"
},
"tags": {},
"type": "Microsoft.Storage/storageAccounts"
}
]
}
Positive test num. 3 - bicep file
param supportLogStorageAccountType string
param storageApiVersion string = '2021-06-01'
var computeLocation = 'comloc'
resource positive2 'Microsoft.Storage/storageAccounts@storageApiVersion' = {
kind: 'Storage'
location: computeLocation
name: 'positive2'
properties: {}
sku: {
name: supportLogStorageAccountType
}
tags: {}
dependsOn: []
}
Positive test num. 4 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"apiVersion": "[variables('storageApiVersion')]",
"dependsOn": [],
"kind": "Storage",
"location": "[variables('computeLocation')]",
"name": "positive2",
"properties": {},
"sku": {
"name": "[parameters('supportLogStorageAccountType')]"
},
"tags": {},
"type": "Microsoft.Storage/storageAccounts"
}
]
}
Positive test num. 5 - bicep file
param supportLogStorageAccountType string
param storageApiVersion string = '2021-06-01'
var computeLocation = 'comloc'
resource positive3 'Microsoft.Storage/storageAccounts@storageApiVersion' = {
kind: 'Storage'
location: computeLocation
name: 'positive3'
properties: {
publicNetworkAccess: 'Enabled'
}
sku: {
name: supportLogStorageAccountType
}
tags: {}
dependsOn: []
}
Positive test num. 6 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"apiVersion": "[variables('storageApiVersion')]",
"dependsOn": [],
"kind": "Storage",
"location": "[variables('computeLocation')]",
"name": "positive3",
"properties": {
"publicNetworkAccess": "Enabled"
},
"sku": {
"name": "[parameters('supportLogStorageAccountType')]"
},
"tags": {},
"type": "Microsoft.Storage/storageAccounts"
}
]
}
Code samples without security vulnerabilities¶
Negative test num. 1 - bicep file
param supportLogStorageAccountType string
param storageApiVersion string = '2021-06-01'
var computeLocation = 'comloc'
resource negative1 'Microsoft.Storage/storageAccounts@storageApiVersion' = {
kind: 'Storage'
location: computeLocation
name: 'negative1'
properties: {
publicNetworkAccess: 'Disabled'
}
sku: {
name: supportLogStorageAccountType
}
tags: {}
dependsOn: []
}
Negative test num. 2 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"apiVersion": "[variables('storageApiVersion')]",
"dependsOn": [],
"kind": "Storage",
"location": "[variables('computeLocation')]",
"name": "negative1",
"properties": {
"publicNetworkAccess": "Disabled"
},
"sku": {
"name": "[parameters('supportLogStorageAccountType')]"
},
"tags": {},
"type": "Microsoft.Storage/storageAccounts"
}
]
}
Negative test num. 3 - bicep file
param supportLogStorageAccountType string
var computeLocation = 'comloc'
resource negative2 'Microsoft.Storage/storageAccounts@2021-06-01' = {
kind: 'Storage'
location: computeLocation
name: 'negative2'
properties: {
networkAcls: {
defaultAction: 'Deny'
}
}
sku: {
name: supportLogStorageAccountType
}
tags: {}
dependsOn: []
}
Negative test num. 4 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"apiVersion": "[variables('storageApiVersion')]",
"dependsOn": [],
"kind": "Storage",
"location": "[variables('computeLocation')]",
"name": "negative2",
"properties": {
"networkAcls": {
"defaultAction": "Deny"
}
},
"sku": {
"name": "[parameters('supportLogStorageAccountType')]"
},
"tags": {},
"type": "Microsoft.Storage/storageAccounts"
}
]
}