Description:
The setting "Allow Azure services on the trusted services list to access this storage account" enables Azure services that are on the trusted services list to bypass the firewall and access the storage account. This is particularly useful for services like Azure Backup, Azure Site Recovery, and others that require access to the storage account but need to work across network boundaries. Enabling this setting allows these services to communicate with your storage account securely, even if the storage account is protected by a network firewall.
Rationale:
Enabling this setting ensures that critical Azure services can seamlessly interact with your storage account while keeping it protected by a firewall. Without enabling this setting, these Azure services would be blocked by the storage account's firewall, potentially disrupting backup and recovery operations, or other critical automated processes. This setting enhances operational efficiency without compromising the security of the storage account, provided that the services accessing the account are trusted.
Impact:
Enabling this setting may increase the attack surface slightly, as it allows trusted services to access your storage account even if it is behind a firewall. However, the services allowed are part of the Azure ecosystem and are trusted, reducing the associated risk. It is a common practice to allow trusted Azure services access, especially in environments that rely on services such as backups, monitoring, or disaster recovery.
Default Value:
By default, this setting is disabled. It must be explicitly enabled if the services need to bypass the firewall for accessing the storage account.
Pre-requisites:
Azure account: Ensure you have sufficient permissions to configure Azure Storage Account settings.
Azure Storage Account: Ensure the storage account exists.
Permissions: You need appropriate permissions, such as Owner or Contributor role, to modify the storage account settings.
Remediation:
Audit:
To check if 'Allow Azure Services on the Trusted Services List to Access This Storage Account' is enabled:
Sign in to the Azure portal using an account with appropriate permissions.
Navigate to the Azure Storage Account.
Check firewall and virtual network settings:
In the left-hand menu, under Settings, click on Firewalls and virtual networks.
Ensure that the option Allow Azure services on the trusted services list to access this storage account is enabled.
Implementation:
To enforce this setting automatically for all Azure Storage Accounts, you can use Azure Policy.
Create a custom Azure Policy to ensure the setting is enabled:
Go to the Azure portal.
Navigate to Policy and click on Definitions.
Create a new Custom Policy with the following content:
{
"properties": {
"displayName": "Ensure Azure Services on Trusted Services List Can Access Storage Accounts",
"policyType": "Custom",
"mode": "All",
"description": "This policy ensures that 'Allow Azure services on the trusted services list to access this storage account' is enabled for all Azure storage accounts.",
"parameters": {},
"metadata": {
"version": "1.0.0",
"category": "Storage"
},
"policyRule": {
"if": {
"field": "Microsoft.Storage/storageAccounts/networkAcls.bypass",
"notEquals": "AzureServices"
},
"then": {
"effect": "deny"
}
}
}
}Assign the policy:
After creating the policy, assign it to the relevant subscriptions or resource groups to ensure that Azure services on the trusted list can access all storage accounts.
Backout Plan:
To revert the setting:
Sign in to the Azure portal with appropriate permissions.
Navigate to the Azure Storage Account.
Go to Firewalls and virtual networks:
In the left-hand menu, under Settings, click on Firewalls and virtual networks.
Disable the setting:
Change Allow Azure services on the trusted services list to access this storage account to Disabled.
If the setting was enforced via Azure Policy, modify or remove the policy to allow the setting to be disabled.