Storage Accounts
      Back to home
      1. CNS Policies
      2. Azure Knowledge Base
      3. Storage Accounts

      Insecure Network Access Default Action

      Risk Level: High

      Description 

      The plugin ensures that the storage account is restricted and is not accessible by all on the network. The accounts need to be configured for accepting traffic from trusted networks only by default it is set to all networks.

      About the Service

      Storage Accounts: An azure storage account is used to store the customer’s data objects such as files, queues, shares, etc. The storage accounts ensure high availability for the clients and allot a unique namespace for the storage data and are accessible from anywhere around the world using HTTP or HTTPS protocols.

      Impact  

      Providing public access to storage accounts will hamper the system’s confidentiality and raise privacy concerns. Thus, it is suggested that users change the access level from all to selected networks and ensure that only authorized people get hold of the contents.

      Steps to Reproduce

      1. Log in to the Azure Portal.
      2. Click on Storage accounts for Services.
      3. Select an account to check for the issue.
      4. From the navigation bar, select Networking from Security + networking
      5. At Firewalls and virtual networks, if the value under "Public network access" is set to “Enabled from all networks”, go to the Steps for Remediation section.
      6. Repeat the process for other accounts as well.

      Steps for Remediation

      1. Login to the Azure portal.
      2. Click on Storage accounts for Services.
      3. Select an account to remediate the issue.
      4. From the navigation bar, select Networking from Security + networking
      5. Under Firewalls and virtual networks, under "Public network access" select "Enabled from selected virtual networks and IP addresses"
        1. To configure the virtual networks select +Add existing virtual network or +Add new virtual network.
        2. Under Firewall specify the IP addresses which can access the network from the internet.
        3. Under Resource Instances specify the resource type and instance name if required. Then, select suitable exceptions under Exceptions. 
      6. After configuring all the details click on the Save button given at the top of the page.
      7. Repeat the process for other accounts as well.

      Please feel free to reach out to support@pingsafe.com with any questions that you may have.

      Thanks

      PingSafe Support