Skip to main content

πŸ“ Azure Storage Account Trusted Azure Services are not enabled as networking exceptions 🟒

  • Contextual name: πŸ“ Trusted Azure Services are not enabled as networking exceptions 🟒
  • ID: /ce/ca/azure/storage/trusted-azure-services-exceptions
  • Located in: πŸ“ Azure Storage

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-3179d53c1

Logic​

Description​

Open File

Description​

NOTE: This recommendation assumes that the Public network access parameter is set to Enabled from selected virtual networks and IP addresses. Please ensure the prerequisite recommendation has been implemented before proceeding:

  • Ensure Default Network Access Rule for Storage Accounts is Set to Deny

Some Azure services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Azure services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow Azure services on the trusted services list to access this storage account exception is enabled, the following services are granted access to the storage account: Azure Backup, Azure Data Box, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure File Sync, Azure HDInsight, Azure Import/Export, Azure Monitor, Azure Networking Services, and Azure Site Recovery (when registered in the subscription).

... see more

Remediation​

Open File

Remediation​

From Azure Portal​

  1. Go to Storage Accounts.
  2. For each storage account, under Security + networking, click Networking.
  3. Click on the Firewalls and virtual networks heading.
  4. Under Exceptions, check the box next to Allow Azure services on the trusted services list to access this storage account.
  5. Click Save.

From Azure CLI​

Use the below command to update bypass to Azure services:

az storage account update --name <StorageAccountName> --resource-group <resourceGroupName> --bypass AzureServices

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό CIS Azure v1.1.0 β†’ πŸ’Ό 3.8 Ensure 'Trusted Microsoft Services' is enabled for Storage Account access11
πŸ’Ό CIS Azure v1.3.0 β†’ πŸ’Ό 3.7 Ensure 'Trusted Microsoft Services' is enabled for Storage Account access - Level 2 (Manual)11
πŸ’Ό CIS Azure v1.4.0 β†’ πŸ’Ό 3.7 Ensure 'Trusted Microsoft Services' are Enabled for Storage Account Access - Level 2 (Automated)11
πŸ’Ό CIS Azure v1.5.0 β†’ πŸ’Ό 3.9 Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access - Level 2 (Automated)11
πŸ’Ό CIS Azure v2.0.0 β†’ πŸ’Ό 3.9 Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access - Level 2 (Automated)11
πŸ’Ό CIS Azure v2.1.0 β†’ πŸ’Ό 3.9 Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access - Level 2 (Automated)11
πŸ’Ό CIS Azure v3.0.0 β†’ πŸ’Ό 4.8 Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Secure Access43
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)3747
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-17(1) Monitoring and Control (M)(H)1
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)47
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)47
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-17(1) Monitoring and Control (M)(H)1
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.9.1.2 Access to networks and network services1718
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.10 Acceptable use of information and other associated assets1114
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.15 Access control1416
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 6.7 Remote working55
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.1 User end point devices911
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.3 Information access restriction1011
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.4 Access to source code89
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties1735
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-5: Protections against data leaks are implemented4351
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities2125
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties58
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected82
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected69
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected67
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-17(1) Remote Access _ Monitoring and Control11