Storage Account default network access rules should deny all traffic

Description

Storage accounts should be configured to deny access to traffic from all networks. Access can be granted to traffic from specific Azure Virtual networks, allowing a secure network boundary for specific applications to be built. Access can also be granted to public internet IP address ranges, to enable connections from specific internet or on-premises clients. When network rules are configured, only applications from allowed networks can access a storage account. When calling from an allowed network, applications continue to require proper authorization (a valid access key or SAS token) to access the storage account.

Remediation Steps

Azure Portal

  • Navigate to Storage Accounts.

  • Select the storage account and in the left navigation, select Networking.

  • Select the Firewalls and virtual networks tab, and in the Allow access from section, select Selected networks.

  • Select Add existing network or Add new virtual network to allow access from that network.

  • Click Save.

Azure CLI

  • Update default-action to Deny:

    • az storage account update --name <StorageAccountName> --resource-group <resourceGroupName> --default-action Deny

Azure Resource Manager

{
  "properties": {
    "networkAcls" : {
      "defaultAction": "deny"
    }
  }
}

Example Configuration

{
  "type": "Microsoft.Storage/storageAccounts",
  "apiVersion": "2021-06-01",
  "properties": {
    "networkAcls": {
      "defaultAction": "deny"
    }
    #other required fields here
  }
}