Description:
The 'Public Network Access' setting for Azure Storage Accounts controls whether the storage account can be accessed over the public internet. Disabling this setting ensures that all traffic to the storage account is routed through private networks (such as Azure Virtual Networks or private endpoints), preventing access from unauthorized external sources. This adds an important layer of security by limiting access to the storage account from the public internet.
Rationale:
Disabling 'Public Network Access' enhances security by ensuring that the storage account is not exposed to the public internet, reducing the risk of unauthorized access and data breaches. This is especially important for storing sensitive or critical data, and it helps comply with industry security standards and regulations like SOC 2, GDPR, HIPAA, and NIST, which mandate strict controls over public access to sensitive data.
Impact:
Disabling public network access may affect applications or services that require access to the storage account over the public internet. However, it is recommended to use private endpoints or virtual network access for communication with storage accounts, as these methods are more secure. Therefore, ensure that all necessary services are configured to access the storage account through private or trusted network connections.
Default Value:
By default, the 'Public Network Access' setting is set to Enabled for Azure Storage Accounts. This setting must be explicitly disabled to prevent public internet access.
Pre-requisites:
Azure account: Ensure you have sufficient permissions to configure the storage account settings.
Azure Storage Account: Ensure the storage account exists.
Permissions: You need appropriate permissions, such as Owner or Contributor role, to modify the storage account settings.
Remediation:
Audit:
To check if 'Public Network Access' is disabled for your Azure Storage Accounts:
Sign in to the Azure portal using an account with appropriate permissions.
Navigate to the Azure Storage Account.
Check Public Network Access settings:
In the left-hand menu, under Settings, click on Firewalls and virtual networks.
Verify that the 'Public Network Access' is set to Disabled.
Implementation:
To automatically enforce 'Public Network Access' as Disabled across all Azure Storage Accounts, you can use Azure Policy.
Create a custom Azure Policy to ensure public network access is disabled:
Go to the Azure portal.
Navigate to Policy and click on Definitions.
Create a new Custom Policy with the following content:
{
"properties": {
"displayName": "Ensure Public Network Access is Disabled for Storage Accounts",
"policyType": "Custom",
"mode": "All",
"description": "This policy ensures that 'Public Network Access' is disabled for all Azure storage accounts to restrict access over the public internet.",
"parameters": {},
"metadata": {
"version": "1.0.0",
"category": "Storage"
},
"policyRule": {
"if":
"field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction",
"equals": "Allow"
},
"then": {
"effect": "deny"
}
}
}
}Assign the policy:
After creating the custom policy, assign it to the relevant subscriptions or resource groups to ensure 'Public Network Access' is disabled for all storage accounts.
Backout Plan:
To revert the 'Public Network Access' setting to Enabled:
Sign in to the Azure portal with appropriate permissions.
Navigate to the Azure Storage Account.
Go to Firewalls and virtual networks:
In the left-hand menu, under Settings, click on Firewalls and virtual networks.
Enable Public Network Access:
Set 'Public Network Access' to Enabled and save the changes.
If the setting was enforced via Azure Policy, modify or remove the policy to allow public network access.