Beta - Storage Account With Shared Access Key

• Query id: 45f3e879-f8a7-4102-a3fa-46da5a849870
• Query name: Beta - Storage Account With Shared Access Key
• Platform: Terraform
• Severity: Medium
• Category: Access Control
• CWE: 1390
• Risk score: 3.0
• URL: Github

Description

All 'azurerm_storage_account' resources should disable access key via 'Shared Key' for improved access control
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file

resource "azurerm_storage_account" "positive1" {
  name                     = "positive1"
  resource_group_name      = azurerm_resource_group.positive1.name
  location                 = azurerm_resource_group.positive1.location
  account_tier             = "Standard"
  account_replication_type = "GRS"

  # missing "shared_access_key_enabled" (defaults to true)
}

resource "azurerm_storage_account" "positive2" {
  name                     = "positive2"
  resource_group_name      = azurerm_resource_group.positive2.name
  location                 = azurerm_resource_group.positive2.location
  account_tier             = "Standard"
  account_replication_type = "GRS"

  shared_access_key_enabled = true     # value is not set to false
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file

resource "azurerm_storage_account" "negative1" {
  name                     = "negative1"
  resource_group_name      = "testRG"
  location                 = "northeurope"
  account_tier             = "Premium"
  account_replication_type = "LRS"
  account_kind             = "FileStorage"

  shared_access_key_enabled = false    # value is set false
}