Azure_StorageAccount_7

Ensure default network access rule for Storage Accounts is set to deny

Description

Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed.

Remediation

Perform the following in the Azure Console:

  1. Go to Storage Accounts
  2. For each storage account, Click on the settings menu called Firewalls and virtual networks .
  3. Ensure that you have elected to allow access from Selected networks
  4. Add rules to allow traffic from specific network
  5. Click Save to apply your changes

Perform the following in Azure Command Line Interface 2.0:

Use the below command to update default-action to Deny.

az storage account update –name <StorageAccountName> –resource-group
<resourceGroupName> –default-action Deny

References:

  1. https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security 

Service

Storage Accounts

Severity

High

Compliance

Mapping

We are now live on AWS Marketplace.
The integrated view of your cloud infrastructure is now easier than ever!