Azure_StorageAccount_8

Ensure Trusted Microsoft Services is enabled for Storage Account access

Description

Some Microsoft services that interact with storage accounts operate from networks that can’ t be granted access through network rules.To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules.These services will then use strong authentication to access the storage account.If the Allow trusted Microsoft services exception is enabled, the following services : Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, AzureNetworking, Azure Monitor and Azure SQL Data Warehouse ( when registered in the subscription ), are granted access to the storage account.

Remediation

Perform the following in the Azure Console :

  1. Go to Storage Accounts
  2. For each storage account, Click on the settings menu called Firewalls and virtual networks
  3. Ensure that you have elected to allow access from ‘Selected networks’
  4. Enable check box for Allow trusted Microsoft services to access this
    storage account
  5. Click Save to apply your changes

Perform the following in Azure Command Line Interface 2.0 :

Use the below command to update trusted Microsoft services.

az storage account update –name <StorageAccountName> –resource-group <resourceGroupName> –bypass AzureServices

References:

  1. https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security 

Service

Storage Accounts

Severity

High

Compliance

Mapping

We are now live on AWS Marketplace.
The integrated view of your cloud infrastructure is now easier than ever!