Trusted Microsoft Services Not Enabled

  • Query id: 1bc398a8-d274-47de-a4c8-6ac867b353de
  • Query name: Trusted Microsoft Services Not Enabled
  • Platform: Ansible
  • Severity: High
  • Category: Networking and Firewall
  • URL: Github

Description

Trusted Microsoft Services should be enabled for Storage Account access
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
- name: configure firewall and virtual networks
  azure_rm_storageaccount:
    resource_group: myResourceGroup
    name: clh0002
    type: Standard_RAGRS
    network_acls:
      bypass: Metrics
      default_action: Deny
      virtual_network_rules:
        - id: /subscriptions/mySubscriptionId/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet
          action: Allow
      ip_rules:
        - value: 1.2.3.4
          action: Allow
        - value: 123.234.123.0/24
          action: Allow
- name: configure firewall and virtual networks2
  azure_rm_storageaccount:
    resource_group: myResourceGroup
    name: clh0003
    type: Standard_RAGRS
    network_acls:
      default_action: Deny
      bypass: Metrics,Logging
      virtual_network_rules:
        - id: /subscriptions/mySubscriptionId/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet
          action: Allow
      ip_rules:
        - value: 1.2.3.4
          action: Allow
        - value: 123.234.123.0/24
          action: Allow
- name: configure firewall and virtual networks3
  azure_rm_storageaccount:
    resource_group: myResourceGroup
    name: clh0004
    type: Standard_RAGRS
    network_acls:
      default_action: Deny
      bypass: ""
      virtual_network_rules:
        - id: /subscriptions/mySubscriptionId/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet
          action: Allow
      ip_rules:
        - value: 1.2.3.4
          action: Allow
        - value: 123.234.123.0/24
          action: Allow

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: configure firewall and virtual networks
  azure_rm_storageaccount:
    resource_group: myResourceGroup
    name: clh0002
    type: Standard_RAGRS
    network_acls:
      bypass: AzureServices,Metrics
      default_action: Deny
      virtual_network_rules:
      - id: /subscriptions/mySubscriptionId/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet
        action: Allow
      ip_rules:
      - value: 1.2.3.4
        action: Allow
      - value: 123.234.123.0/24
        action: Allow
- name: configure firewall and virtual networks2
  azure_rm_storageaccount:
    resource_group: myResourceGroup
    name: clh0003
    type: Standard_RAGRS
    network_acls:
      default_action: Deny
      virtual_network_rules:
      - id: /subscriptions/mySubscriptionId/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet
        action: Allow
      ip_rules:
      - value: 1.2.3.4
        action: Allow
      - value: 123.234.123.0/24
        action: Allow
- name: configure firewall and virtual networks3
  azure_rm_storageaccount:
    resource_group: myResourceGroup
    name: clh0004
    type: Standard_RAGRS
    network_acls:
      default_action: Deny
      bypass: AzureServices
      virtual_network_rules:
      - id: /subscriptions/mySubscriptionId/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet
        action: Allow
      ip_rules:
      - value: 1.2.3.4
        action: Allow
      - value: 123.234.123.0/24
        action: Allow