Ensure that your Microsoft Azure Storage account is configured to deny access to traffic from all networks (including Internet traffic). By restricting access to your storage account default network, you add a new layer of security, since the default action is to accept connections from clients on any network. To limit access to selected networks or IP addresses, you must first change the default action from "Allow" to "Deny".
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
The access to your storage account should be granted to specific Azure Virtual Networks, which allows a secure network boundary for specific applications, or to public IP address ranges, which can enable connections from specific Internet services or on-premises clients. When network rules are configured, only applications from allowed networks or IPs can access your storage resources. When requesting access from an allowed network and/or IP address, a client/application should provide proper authorization, i.e. a valid access key or a Shared Access Signatures (SAS) token, to access the storage account.
Note: Making changes to network rules can impact your applications' ability to connect to the Azure Storage account. Make sure to grant access to any allowed networks using network rules or IP ranges using firewalls, before you change the default rule in order to deny access.
Audit
To determine if the default network access is restricted for your storage accounts, perform the following actions:
Remediation / Resolution
To restrict default network access for your Microsoft Azure Storage accounts, perform the following actions:
References
- Azure Official Documentation
- Configure Azure Storage firewalls and virtual networks
- CIS Microsoft Azure Foundations
- Azure Command Line Interface (CLI) Documentation
- az
- az storage account list
- az storage account show
- az storage account update
- az storage account network-rule add