Description:

Restricting default network access helps to provide a new layer of security since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed.


Rationale:

Storage accounts should be configured to deny access to traffic from all networks (including internet traffic). Access can be granted to traffic from specific Azure Virtual networks, allowing a secure network boundary for specific applications to be built. Access can also be granted to public internet IP address ranges, to enable connections from specific internet or on-premises clients.  When calling from an allowed network, applications continue to require proper authorization (a valid access key or SAS token) to access the storage account.


Impact:

When network rules are configured, only applications from allowed networks can access a storage account.


Default Value:

Default network access rule for Storage Accounts is set to Allow all networks.


Audit:

  1. Sign into your Azure account.

  2. Go to Storage Accounts

  3. For each storage account, click on the Networking setting under the Security + networking section.

  4. Check the status of Allow access from setting. (In this case, it is All networks as default)


Via Azure CLI:

az storage account list --query '[*].networkRuleSet'


Remediation:

Pre-requisites:

  1. An Azure account

  2. Azure Storage account

Implementation Steps:

  1. Go to Storage Accounts

  2. For each storage account, click on the Networking setting under the Security + networking section.

  3. Set the status of Allow access from setting to Selected Networks, add the networks/subnets you want to provide access to the storage account, and click on Save (if none is added then no network has access to storage account).


Via Azure CLI:

Below command update default-action to Deny

az storage account update --name <StorageAccountName> --resource-group <resourceGroupName> --default-action Deny


Backout Plan:

  1. Go to Storage Accounts

  2. For each storage account, click on the Networking setting under the Security + networking section.

  3. Set the status of Allow access from setting to All Networks (if all networks, including the internet, to access the storage account).

References: