π Azure Storage Account Public Network Access is not disabled π’
- Contextual name: π Public Network Access is not disabled π’
- ID:
/ce/ca/azure/storage/disable-public-network-access - Located in: π Azure Storage
Flagsβ
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
Our Metadataβ
- Policy Type:
COMPLIANCE_POLICY - Policy Category:
SECURITY
Similar Policiesβ
- Cloud Conformity
Logicβ
- π§ prod.logic.yaml π’
Descriptionβ
Descriptionβ
Disallowing public network access for a storage account overrides the public access settings for individual containers in that storage account for Azure Resource Manager Deployment Model storage accounts. Azure Storage accounts that use the classic deployment model will be retired on August 31, 2024.
Rationaleβ
The default network configuration for a storage account permits a user with appropriate permissions to configure public network access to containers and blobs in a storage account. Keep in mind that public access to a container is always turned off by default and must be explicitly configured to permit anonymous requests. It grants read-only access to these resources without sharing the account key, and without requiring a shared access signature. It is recommended not to provide public network access to storage accounts until, and unless, it is strongly desired. A shared access signature token or Azure AD RBAC should be used for providing controlled and timed access to blob containers.
Impactβ
... see more
Remediationβ
Remediationβ
From Azure Portalβ
First, follow Microsoft documentation and create shared access signature tokens for your blob containers. Then:
- Go to
Storage Accounts.- For each storage account, under the
Security + networkingsection, clickNetworking.- Set
Public Network AccesstoDisabled.- Click
Save.From Azure CLIβ
Set
Public Network AccesstoDisabledon the storage account:az storage account update --name <storage-account> --resource-group <resource-group> --public-network-access DisabledFrom PowerShellβ
For each Storage Account, run the following to set the
PublicNetworkAccesssetting toDisabled:Set-AzStorageAccount -ResourceGroupName <resource group name> -Name <storage account name> -PublicNetworkAccess Disabled
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ CIS Azure v2.1.0 β πΌ 3.7 Ensure that 'Public Network Access' is `Disabled' for storage accounts - Level 1 (Automated) | 1 | |||
| πΌ CIS Azure v3.0.0 β πΌ 4.6 Ensure that 'Public Network Access' is 'Disabled' for storage accounts (Automated) | 1 | |||
| πΌ Cloudaware Framework β πΌ Public and Anonymous Access | 24 |