Microsoft AzureOverview
Restricting default network access helps to provide a new layer of security since storage accounts accept connections from clients on any network. The default action must be changed to limit access to selected networks.
Rationale
Storage accounts should be configured to deny access to traffic from all networks (including internet traffic). Access can be granted to traffic from specific Azure Virtual networks, allowing a secure network boundary for specific applications to be built. Access can also be granted to public internet IP address ranges to enable connections from specific internet or on-premises clients. Only applications from allowed networks can access a storage account when network rules are configured. When calling from an allowed network, applications continue to require proper authorization (a valid access key or SAS token) to access the storage account.
Impact
All allowed networks will need to be whitelisted on each specific network, creating administrative overhead. This may result in a loss of network connectivity, so do not turn on critical resources during business hours.
Default Value
By default, Storage Accounts will accept connections from clients on any network.
References
- https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security
- https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-2-define-and-implement-enterprise-segmentationseparation-of-duties-strategy
- https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-2-secure-cloud-services-with-network-controls
Remediation guidance
Azure Remediation
Service-wide fix (recommended): use
defaultAction = Denyas the baseline for storage accounts that still expose a public endpoint, and then explicitly allow only approved networks or Azure resource instances.
Azure portal
- Open the storage account.
- Go to
Networking. - Keep public network access enabled only if this storage account must still use the public endpoint.
- Set access to
Enabled from selected virtual networks and IP addresses. - Save the change and add the required virtual network, IP, resource instance, or private endpoint access paths.
Azure CLI
Set the default action to Deny:
az storage account update --name <storage-account-name> --resource-group <resource-group> --default-action Deny
Validate the effective rule:
az storage account show --name <storage-account-name> --resource-group <resource-group> --query '{publicNetworkAccess:publicNetworkAccess,defaultAction:networkRuleSet.defaultAction}'
Operational notes
defaultAction = Denyaffects only the public endpoint. If you want to block the public endpoint entirely, use the separate public-network-access control instead.- Add allow rules or private endpoints before the cutover, otherwise applications can lose storage access immediately.
- Azure notes that network rule changes can take up to about a minute to become effective.
References
- https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security-set-default-access
- https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security-overview
Query logic
These are the stored checks tied to this control.
Storage accounts with the default action not set to Deny
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(where: { NOT: { networkRuleSetDefaultAction: "Deny" } }) {
...AssetFragment
}
}
