🛡️ Azure Storage Account Public Network Access is not disabled🟢
- Contextual name: 🛡️ Public Network Access is not disabled🟢
- ID:
/ce/ca/azure/storage/disable-public-network-access - Tags:
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Stats
not available
Logic
Similar Policies
- Cloud Conformity: Expire Shared Access Signature Tokens
Description
Description
Disallowing public network access for a storage account overrides the public access settings for individual containers in that storage account for Azure Resource Manager Deployment Model storage accounts. Azure Storage accounts that use the classic deployment model will be retired on August 31, 2024.
Rationale
Disabling public network access improves security by ensuring that a storage account is not exposed on the public internet. If public network access is required for a storage account, it should be restricted to selected networks by setting the default network access rule to
Deny, and the trusted Azure services exception should be enabled where those services require access.The default network configuration for a storage account permits a user with appropriate permissions to configure public network access to containers and blobs in a storage account. Keep in mind that public access to a container is always turned off by default and must be explicitly configured to permit anonymous requests. It grants read-only access to these resources without sharing the account key, and without requiring a shared access signature. It is recommended not to provide public network access to storage accounts until, and unless, it is strongly desired. A shared access signature token or Azure AD RBAC should be used for providing controlled and timed access to blob containers.
... see more
Remediation
Remediation
From Azure Portal
First, follow Microsoft documentation and create shared access signature tokens for your blob containers. Then disable public network access:
- Go to
Storage Accounts.- For each storage account, under the
Security + networkingsection, clickNetworking.- Set
Public Network AccesstoDisabled.- Click
Save.If public network access is required, set
Public network accesstoEnabled from selected virtual networks and IP addresses, set the default network access rule toDeny, add the required network rules, and enable the trusted Azure services exception where those services need access.From Azure CLI
Set
Public Network AccesstoDisabledon the storage account:az storage account update \
--name {{storage-account-name}} \
--resource-group {{resource-group-name}} \
--public-network-access DisabledIf public network access is required, restrict access to selected networks and enable the trusted Azure services exception:
az storage account update \
... [see more](remediation.md)
policy.yaml
Linked Framework Sections
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| 💼 CIS Azure v5.0.0 → 💼 9.3.2.2 Ensure that 'Public Network Access' is 'Disabled' for storage accounts (Automated) | 1 | no data | |||
| 💼 CIS Azure v6.0.0 → 💼 9.3.2.2 Ensure that 'Public Network Access' is 'Disabled' for Storage Accounts (Automated) | 1 | no data | |||
| 💼 Cloudaware Framework → 💼 Network Exposure | 137 | no data |