Description:
Restricting default network access helps to provide a new layer of security since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed.
Rationale:
Storage accounts should be configured to deny access to traffic from all networks (including internet traffic). Access can be granted to traffic from specific Azure Virtual networks, allowing a secure network boundary for specific applications to be built. Access can also be granted to public internet IP address ranges, to enable connections from specific internet or on-premises clients. When calling from an allowed network, applications continue to require proper authorization (a valid access key or SAS token) to access the storage account.
Impact:
When network rules are configured, only applications from allowed networks can access a storage account.
Default Value:
Default network access rule for Storage Accounts is set to Allow all networks.
Audit:
Sign into your Azure account.
Go to Storage Accounts
For each storage account, click on the Networking setting under the Security + networking section.
Check the status of Allow access from setting. (In this case, it is All networks as default)
Via Azure CLI:
az storage account list --query '[*].networkRuleSet'
Remediation:
Pre-requisites:
An Azure account
Azure Storage account
Implementation Steps:
Go to Storage Accounts
For each storage account, click on the Networking setting under the Security + networking section.
Set the status of Allow access from setting to Selected Networks, add the networks/subnets you want to provide access to the storage account, and click on Save (if none is added then no network has access to storage account).
Via Azure CLI:
Below command update default-action to Deny
az storage account update --name <StorageAccountName> --resource-group <resourceGroupName> --default-action Deny
Backout Plan:
Go to Storage Accounts
For each storage account, click on the Networking setting under the Security + networking section.
Set the status of Allow access from setting to All Networks (if all networks, including the internet, to access the storage account).