Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Limit Storage Account Access by IP Address

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: StorageAccounts-014

Ensure that the access to your Microsoft Azure Storage blobs, files, tables and queues is limited only to specific (trusted) public IP address and/or IP address range in order to protect your data against unauthorized access. To enable this conformity rule, you must first define the specific public IPv4 addresses or ranges that are authorized to access your storage account. This configuration is done within the rule settings on your Trend Cloud One™ – Conformity account console.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Allowing untrustworthy access to your Microsoft Azure Storage account can lead to unauthorized actions such as reading, uploading, modifying or deleting data. To prevent data exposure, data loss or unexpected charges on your Azure monthly bill, make sure that your storage account is accessible only to a short list of authorized IP addresses representing account administrators, trusted internet-based services and/or specific on-premises networks.


Audit

To determine if the access to your storage account is restricted to specific (trusted) IP addresses/IP address ranges, perform the following operations:

Using Azure Portal

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Storage account, and choose Apply to list only the Microsoft Azure Storage accounts available in the selected subscription.

05 Click on the name (link) of the storage account that you want to examine.

06 In the resource navigation panel, under Security + networking, choose Networking to access the networking configuration settings available for the selected resource.

07 Select the Firewalls and virtual networks tab and check the Public network access configuration setting to determine the level of access configured for the selected storage account. If Public network access is not set to Enabled from selected virtual networks and IP addresses, secure IP-based network access is not enabled for the selected resource. If Public network access is set to Enabled from selected virtual networks and IP addresses, identify the IPv4 address(es) and/or IPv4 range(s) available in the Address range list, in the Firewall section.

08 Sign in to your Trend Cloud One™ – Conformity account, access Limit Storage Accounts Access by IP Address conformity rule settings and compare the list of trusted IPv4 addresses/ranges defined for your Azure Storage accounts with the Address range list configured for the selected storage account, identified at the previous step. If one or more IPs are not included in the list of trusted IPv4 addresses/ranges available in the rule settings, the access to the selected Azure Storage account is not restricted to specific (trusted) IP addresses.

09 Repeat steps no. 5 – 8 for each storage account available within the selected Azure subscription.

10 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run storage account list command (Windows/macOS/Linux) with custom output filters to describe the name of each storage account provisioned in the current Azure subscription:

az storage account list
  --query '[*].name'

02 The command output should return the requested storage account names:

[
	"abcd1234abcd1234abcd1234",
	"abcdabcdabcd123412341234",
	"123412341234abcdabcdabcd"
]

03 Run storage account show command (Windows/macOS/Linux) with the name of the storage account that you want to examine as the identifier parameter and custom output filters to return the list with the public IPv4 address(es) and/or IPv4 range(s) allowed to access the selected storage account:

az storage account show
  --name project5storageaccount
  --query 'networkRuleSet.ipRules[?(action==`Allow`)].ipAddressOrRange'

04 The command output should return the list with all the IPv4 addresses allowed to access your storage account:

[
	"16.17.18.19",
	"17.18.19.20",
	"16.17.20.0/24"
]

05 Sign in to your Trend Cloud One™ – Conformity account, access Limit Storage Accounts Access by IP Address conformity rule settings and compare the list of trusted IPv4 addresses/ranges defined for your Azure Storage accounts with the IP list configured for the selected storage account, returned at the previous step by the storage account show command output. If one or more IPs are not included in the list of trusted IPv4 addresses/ranges available in the rule settings, the access to the selected Azure Storage account is not restricted to specific (trusted) IP addresses.

06 Repeat steps no. 3 - 5 for each storage account available within the current Azure subscription.

07 Repeat steps no. 1 – 6 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To restrict your Azure Storage account network access to specific, trusted IP addresses and/or IP ranges, perform the following operations:

Using Azure Portal

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Storage account, and choose Apply to list only the Microsoft Azure Storage accounts available in the selected subscription.

05 Click on the name (link) of the storage account that you want to configure.

06 In the resource navigation panel, under Security + networking, choose Networking to access the networking configuration settings available for the selected resource.

07 Select the Firewalls and virtual networks tab, choose Enabled from selected virtual networks and IP addresses under Public network access, and perform the following actions:

  1. In the Firewall section, use the Delete button (bin icon) available next to each IP address to remove the unauthorized IPv4 addresses and/or IPv4 ranges from the Address range list.
  2. (Optional) To add one or more trusted, authorized IPv4 addresses/IP ranges to the Address range list, type the IP address/CIDR in the IP address or CIDR box.
  3. Choose Save to apply the changes.

08 Repeat steps no. 5 – 7 for each Azure Storage account that you want to configure, available in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created within your Microsoft Azure cloud account.

Using Azure CLI

01 Run storage account network-rule remove command (Windows/macOS/Linux) with the IPv4 address and/or IPv4 range that you want to remove as value for the --ip-address command parameter, to remove the unauthorized IP address/IP range from the list of allowed IPs configured for the selected Azure Storage account:

az storage account network-rule remove
  --account-name project5storageaccount
  --ip-address 17.18.19.20

02 The command output should return the information available for the configured Microsoft Azure Storage account:

{
	"accessTier": "Hot",
	"accountMigrationInProgress": null,
	"allowBlobPublicAccess": false,
	"allowCrossTenantReplication": false,
	"allowSharedKeyAccess": true,
	"allowedCopyScope": null,
	"azureFilesIdentityBasedAuthentication": null,
	"blobRestoreStatus": null,
	"creationTime": "2024-09-12T08:30:31.246988+00:00",
	"enableNfsV3": null,

	...

	"secondaryEndpoints": null,
	"secondaryLocation": null,
	"sku": {
		"name": "Standard_LRS",
		"tier": "Standard"
	},
	"statusOfPrimary": "available",
	"statusOfSecondary": null,
	"storageAccountSkuConversionStatus": null,
	"tags": {},
	"type": "Microsoft.Storage/storageAccounts"
}

03 (Optional) Run az storage account network-rule add command (Windows/macOS/Linux) to add an authorized IP address/IP address range to the list of allowed IPs configured for the selected Azure Storage account:

az storage account network-rule add
  --account-name project5storageaccount
  --ip-address 18.19.20.21

04 The command output should return the information available for the configured Azure Storage account:

{
	"accessTier": "Hot",
	"accountMigrationInProgress": null,
	"allowBlobPublicAccess": false,
	"allowCrossTenantReplication": false,
	"allowSharedKeyAccess": true,
	"allowedCopyScope": null,
	"azureFilesIdentityBasedAuthentication": null,
	"blobRestoreStatus": null,
	"creationTime": "2024-09-12T08:30:31.246988+00:00",
	"enableNfsV3": null,

	...

	"secondaryEndpoints": null,
	"secondaryLocation": null,
	"sku": {
		"name": "Standard_LRS",
		"tier": "Standard"
	},
	"statusOfPrimary": "available",
	"statusOfSecondary": null,
	"storageAccountSkuConversionStatus": null,
	"tags": {},
	"type": "Microsoft.Storage/storageAccounts"
}

05 Repeat steps no. 1 - 4 for each Azure Storage account that you want to configure, available within the current subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Dec 19, 2019