Description:
The default network access rule for Azure Storage Accounts determines the level of access for all network traffic, including access from virtual networks, public IP addresses, and trusted services. Setting the default network access rule to Deny ensures that no unauthorized or unintended traffic can access the storage account, enhancing security by blocking all access unless explicitly allowed through defined firewall rules, virtual network (VNet) integration, or trusted Azure services.
Rationale:
By setting the default network access rule to Deny, you reduce the attack surface of the storage account by blocking all traffic that is not explicitly allowed. This is essential for maintaining a strong security posture and ensuring that only trusted resources can access your storage accounts. This configuration is in line with security best practices and is particularly important for compliance with standards such as SOC 2, HIPAA, GDPR, and NIST, which require strict access controls to protect sensitive data.
Impact:
Setting the default network access rule to Deny ensures that only traffic from specific networks or services is allowed to access the storage account. However, this may block legitimate access if firewall rules or network configurations are not properly set up. It is crucial to carefully configure allowed IP addresses, VNets, and trusted services to avoid disrupting business operations.
Default Value:
By default, the network access rule for Azure Storage Accounts is set to Allow for public access. This should be changed to Deny to align with the security best practice of restricting network access.
Pre-requisites:
Azure account: Ensure you have the necessary permissions to configure the network access settings for Azure Storage Accounts.
Azure Storage Account: Ensure the storage account exists and is properly configured.
Permissions: You need appropriate permissions, such as Owner or Contributor role, to modify the storage account's network access settings.
Remediation:
Audit:
To check if the default network access rule is set to Deny for your Azure Storage Accounts:
Sign in to the Azure portal using an account with appropriate permissions.
Navigate to the Azure Storage Account.
Check Network Access settings:
In the left-hand menu, under Settings, click on Firewalls and virtual networks.
Verify that the Default network access rule is set to Deny.
Implementation:
To automatically enforce 'Deny' as the default network access rule across all Azure Storage Accounts, you can use Azure Policy.
Create a custom Azure Policy to ensure the default network access rule is set to Deny:
Go to the Azure portal.
Navigate to Policy and click on Definitions.
Create a new Custom Policy with the following content:
{
"properties": {
"displayName": "Ensure Default Network Access Rule for Storage Accounts is Set to Deny",
"policyType": "Custom",
"mode": "All",
"description": "This policy ensures that the default network access rule for storage accounts is set to Deny.",
"parameters": {},
"metadata": {
"version": "1.0.0",
"category": "Storage"
},
"policyRule": {
"if": {
"field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction",
"notEquals": "Deny"
},
"then": {
"effect": "deny"
}
}
}
}Assign the policy:
After creating the custom policy, assign it to the relevant subscriptions or resource groups to ensure that Deny is set as the default network access rule across all storage accounts.
Backout Plan:
To revert the default network access rule to Allow (not recommended from a security standpoint):
Sign in to the Azure portal with appropriate permissions.
Navigate to the Azure Storage Account.
Go to Firewalls and virtual networks:
In the left-hand menu, under Settings, click on Firewalls and virtual networks.
Change Default network access rule to Allow:
Set the Default network access rule to Allow if necessary and save the changes.
If the setting was enforced through Azure Policy, modify or remove the policy to allow a different default action.