Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Trusted Microsoft Services for Storage Account Access

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: StorageAccounts-008

Ensure that "Allow trusted Microsoft services to access this storage account" exception is enabled within your Azure Storage account configuration settings to grant access to trusted cloud services.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Enabling firewall rules for your storage account will block access to incoming requests for data, including from other Azure services. To allow these Azure services to work as intended and be able to access your storage account resources, you have to add an exception so that the trusted Microsoft Azure services can bypass your network rules. If the "Allow trusted Microsoft services to access this storage account" exception is enabled, the following services: Azure Backup, Azure Event Grid, Azure Site Recovery, Azure DevTest Labs, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse (when registered in the subscription), are granted access to your storage account. To enhance access security, all these cloud services are using strong authentication methods to access storage account resources.


Audit

To determine if "Allow trusted Microsoft services to access this storage account" exception is enabled, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts.

03 Click on the name of the Azure Storage account that you want to examine.

04 In the navigation panel, under Settings, select Firewalls and virtual networks to access network security configuration page for the selected storage account.

05 On the Firewalls and virtual networks page, under Exceptions, check the Allow trusted Microsoft services to access this storage account exception configuration status. If the default network access configuration panel is not displayed, see this conformity rule to access the panel with the network access exceptions. If Allow trusted Microsoft services to access this storage account exception is not selected, the trusted Microsoft services are not allowed to access the selected Azure Storage account.

06 Repeat steps no. 3 – 5 for each storage account available within the selected subscription.

07 Repeat steps no. 3 – 6 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI and PowerShell

01 Run storage account list command (Windows/macOS/Linux) using custom query filters to describe the name for each storage account available in the current Azure subscription:

az storage account list
	--query '[*].name'

02 The command output should return the requested storage account names:

[
  "abcdabcdabcd123412341234",
  "123412341234abcdabcdabcd"
]

03 Run storage account show command (Windows/macOS/Linux) using the name of the storage account that you want to examine as identifier parameter and custom query filters to get the "Allow trusted Microsoft services to access this storage account" exception configuration status:

az storage account show
	--name abcdabcdabcd123412341234
	--query 'networkRuleSet.bypass'

04 The command output should return the default action configured for the default network access rule:

"None"

If the command output returns "None", the "Allow trusted Microsoft services to access this storage account" exception is not enabled, therefore the trusted Microsoft services are not allowed to access the selected Azure Storage account.

05 Repeat step no. 3 and 4 for each storage account available within the selected subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To allow trusted Microsoft services to access your Azure Storage accounts, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts.

03 Click on the name of the Azure Storage account that you want to reconfigure.

04 In the navigation panel, under Settings, select Firewalls and virtual networks to access network security configuration page for the selected storage account.

05 On the Firewalls and virtual networks page, under Exceptions, select the Allow trusted Microsoft services to access this storage account exception checkbox to allow the trusted Microsoft services to access the selected Azure Storage account. If the default network access configuration panel is not displayed, see this conformity rule to access the panel with the network access exceptions.

06 Click Save to apply the changes.

07 Repeat steps no. 3 – 6 for each storage account available in the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI and PowerShell

01 Run storage account update command (Windows/macOS/Linux) using the name of the storage account that you want to reconfigure as identifier parameter (see Audit section part II to identify the right account) to enable "Allow trusted Microsoft services to access this storage account" exception for the selected Azure Storage account:

az storage account update
	--name abcdabcdabcd123412341234
	--bypass AzureServices

02 The command output should return the reconfigured storage account metadata:

{
  "accessTier": "Hot",
  "creationTime": "2019-04-23T11:39:20.351002+00:00",
  "enableAzureFilesAadIntegration": null,
  "customDomain": null,
  "enableHttpsTrafficOnly": false,

   ...

  "networkRuleSet": {
    "bypass": "AzureServices",
    "defaultAction": "Deny",
    "ipRules": [
      {
        "action": "Allow",
        "ipAddressOrRange": "16.17.18.0/24"
      }
    ],
    "virtualNetworkRules": []
  },

  ...

  "statusOfPrimary": "available",
  "statusOfSecondary": null,
  "tags": {
    "ms-resource-usage": "azure-cloud-shell"
  },
  "type": "Microsoft.Storage/storageAccounts"
}

03 Repeat step no. 1 and 2 for each storage account available in the selected subscription.

04 Repeat steps no. 1 – 3 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Jun 12, 2019