Microsoft AzureOverview
Disallowing public network access for a storage account overrides the public access settings for individual containers in that storage account for Azure Resource Manager Deployment Model storage accounts. Azure Storage accounts that use the classic deployment model will be retired on August 31, 2024.
Rationale
The default network configuration for a storage account permits a user with appropriate permissions to configure public network access to containers and blobs in a storage account. Remember that public access to a container is always turned off by default and must be explicitly configured to permit anonymous requests. It grants read-only access to these resources without sharing the account key or requiring a shared access signature. It is recommended not to provide public network access to storage accounts until and unless it is strongly desired. A shared access signature token or RBAC should provide controlled and timed access to blob containers.
Impact
Access will have to be managed using shared access signatures or via RBAC.
Default Value
By default, Public Network Access is set to Enabled from all networks for the Storage Account.
Remediation guidance
From Azure Portal
First, follow Microsoft documentation and create shared access signature tokens for your blob containers. Then,
- Open the storage account in the Azure Portal using the
Open in Azurebutton. - Under the
Security + networkingsection, clickNetworking. - Set
Public Network AccesstoDisabled.
From Azure CLI
az storage account update --name <storage_account> --resource-group <resource_group> --public-network-access Disabled
From PowerShell
Set-AzStorageAccount -ResourceGroupName <rg_name> -Name <storage_account_name> -PublicNetworkAccess Disabled
Multiple Remediation Paths
Azure
SERVICE-WIDE (RECOMMENDED when many resources are affected): Assign Azure Policy initiatives at management group/subscription scope and trigger remediation tasks.
az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>
ASSET-LEVEL: Apply the resource-specific remediation steps above to the listed non-compliant resources.
PREVENTIVE: Embed Azure Policy checks into landing zones and IaC workflows to block or auto-remediate drift.
References for Service-Wide Patterns
- Azure Policy overview: https://learn.microsoft.com/en-us/azure/governance/policy/overview
- Azure Policy remediation: https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources
- Azure Policy initiative structure: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/initiative-definition-structure
Operational Rollout Workflow
Use this sequence to reduce risk and avoid repeated drift.
1. Contain at Service-Wide Scope First (Recommended)
- Azure: assign policy initiatives at management group/subscription scope and run remediation tasks.
az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>
2. Remediate Existing Affected Assets
- Execute the control-specific Console/CLI steps documented above for each flagged resource.
- Prioritize internet-exposed and production assets first.
3. Validate and Prevent Recurrence
- Re-scan after each remediation batch.
- Track exceptions with owner and expiry date.
- Add preventive checks in IaC/CI pipelines.
Query logic
These are the stored checks tied to this control.
Azure Storage Accounts Allowing Public Network Access
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(where: { NOT: { publicNetworkAccess: "Disabled" } }) {
...AssetFragment
}
}
