Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Restrict Default Network Access for Storage Accounts

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: StorageAccounts-007

Ensure that your Microsoft Azure Storage account is configured to deny access to traffic from all networks (including Internet traffic). By restricting access to your storage account default network, you add a new layer of security, since the default action is to accept connections from clients on any network. To limit access to selected networks or IP addresses, you must first change the default action from "Allow" to "Deny".

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

The access to your storage account should be granted to specific Azure Virtual Networks, which allows a secure network boundary for specific applications, or to public IP address ranges, which can enable connections from specific Internet services or on-premises clients. When network rules are configured, only applications from allowed networks or IPs can access your storage resources. When requesting access from an allowed network and/or IP address, a client/application should provide proper authorization, i.e. a valid access key or a Shared Access Signatures (SAS) token, to access the storage account.

Note: Making changes to network rules can impact your applications' ability to connect to the Azure Storage account. Make sure to grant access to any allowed networks using network rules or IP ranges using firewalls, before you change the default rule in order to deny access.


Audit

To determine if the default network access is restricted for your storage accounts, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts.

03 Click on the name of the Azure Storage account that you want to examine.

04 In the navigation panel, under Settings, select Firewalls and virtual networks to access network security configuration page for the selected storage account.

05 On the Firewalls and virtual networks page, check the Allow access from network setting configuration. If Allow access from is set to All networks, all networks, including the Internet, can access the selected storage account, thus the default network access configuration is not compliant.

06 Repeat steps no. 3 – 5 for each storage account available within the selected subscription.

07 Repeat steps no. 3 – 6 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI and PowerShell

01 Run storage account list command (Windows/macOS/Linux) using custom query filters to describe the identifier for each storage account available in the current Azure subscription:

az storage account list 
	--query '[*].name'

02 The command output should return the requested identifiers (i.e. storage account names):

[
  "abcdabcdabcd123412341234",
  "123412341234abcdabcdabcd"
]

03 Run storage account show command (Windows/macOS/Linux) using the name of the storage account that you want to examine as identifier parameter and custom query filters to get the default network access rule configuration for the selected storage account:

az storage account show
	--name abcdabcdabcd123412341234
	--query 'networkRuleSet.defaultAction'

04 The command output should return the default action configured for the default network access rule:

"Allow"

If the command output returns "Allow", as shown in the example above, all networks, including the Internet, can access the selected Azure Storage account, therefore the default network access configuration is not compliant.

05 Repeat step no. 3 and 4 for each storage account available within the selected subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To restrict default network access for your Microsoft Azure Storage accounts, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts.

03 Click on the name of the Azure Storage account that you want to reconfigure (see Audit section part I to identify the right account).

04 In the navigation panel, under Settings, select Firewalls and virtual networks to access network security configuration page for the selected storage account.

05 On the Firewalls and virtual networks page, choose Selected networks under Allow access from to show the network security configuration panel for the selected storage account.

06 On the configuration panel, perform the following:

  1. To secure your storage account with virtual networks, use + Add existing virtual network or + Add new virtual network options available in the Virtual networks section to attach an existing virtual network or create and attach a new one.
  2. To add IP ranges in order to allow access from the Internet or from your on-premises networks, use the configuration controls available within the Firewall section.
  3. To configure network access exceptions, use the controls available in the Exceptions section.

07 Once the network security (including firewalls and virtual networks) for the selected storage account is properly configured, click Save to apply the changes. Note that the firewall settings that allow access to storage services will remain in effect for up to a minute after saving the updated settings for restricting access.

08 Repeat steps no. 3 – 7 for each storage account available in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI and PowerShell

01 Run storage account update command (Windows/macOS/Linux) using the name of the storage account that you want to reconfigure as identifier parameter (see Audit section part II to identify the right account) to restrict default network access to the selected Microsoft Azure Storage account:

az storage account update
	--name abcdabcdabcd123412341234
	--default-action Deny

02 The command output should return the metadata available for the updated storage account:

{
  "accessTier": "Hot",
  "creationTime": "2019-04-21T26:17:20.351002+00:00",
  "enableAzureFilesAadIntegration": null,
  "enableHttpsTrafficOnly": false,
  "name": "abcdabcdabcd123412341234",
 
  ...
 
  "networkRuleSet": {
    "bypass": "AzureServices",
    "defaultAction": "Deny",
    "ipRules": [],
    "virtualNetworkRules": []
  },
 
  ...
 
  "statusOfPrimary": "available",
  "statusOfSecondary": null,
  "tags": {
    "ms-resource-usage": "azure-cloud-shell"
  },
  "type": "Microsoft.Storage/storageAccounts"
}

03 Now that the default network rule is configured to deny all access to your storage account data, you have to configure the network rule in order to grant access from your allowed networks only. As an example, the following configuration grants access to a specific on-premise network, while blocking general Internet traffic. To grant access from your on-premise network only, run storage account network-rule add command (Windows/macOS/Linux) to add a new network rule for an IP address range (e.g. 16.17.18.0/24):

az storage account network-rule add
	--account-name abcdabcdabcd123412341234
	--ip-address 16.17.18.0/24

04 The command output should return the metadata available for the reconfigured Microsoft Azure Storage account:

{
  "accessTier": "Hot",
  "creationTime": "2019-04-21T26:17:20.351002+00:00",
  "enableAzureFilesAadIntegration": null,
  "enableHttpsTrafficOnly": false,
  "name": "abcdabcdabcd123412341234",
 
  ...
 
  "networkRuleSet": {
    "bypass": "AzureServices",
    "defaultAction": "Deny",
    "ipRules": [
      {
        "action": "Allow",
        "ipAddressOrRange": "16.17.18.0/24"
      }
    ],
    "virtualNetworkRules": []
  },
 
  ...
 
  "statusOfPrimary": "available",
  "statusOfSecondary": null,
  "tags": {
    "ms-resource-usage": "azure-cloud-shell"
  },
  "type": "Microsoft.Storage/storageAccounts"
}

05 Repeat steps no. 1 – 4 for each storage account available in the selected subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Jun 12, 2019