Storage Accounts

Insecure Network Access Default Action

Risk Level: High

Description 

The plugin ensures that the storage account is restricted and is not accessible by all on the network. The accounts need to be configured for accepting traffic from trusted networks only by default it is set to all networks.

About the Service

Storage Accounts: An azure storage account is used to store the customer’s data objects such as files, queues, shares, etc. The storage accounts ensure high availability for the clients and allot a unique namespace for the storage data and are accessible from anywhere around the world using HTTP or HTTPS protocols.

Impact  

Providing public access to storage accounts will hamper the system’s confidentiality and raise privacy concerns. Thus, it is suggested that users change the access level from all to selected networks and ensure that only authorized people get hold of the contents.

Steps to Reproduce

  1. Log in to the Azure Portal.
  2. Click on Storage accounts for Services.
  3. Select an account to check for the issue.
  4. From the navigation bar, select Networking from Security + networking
  5. At Firewalls and virtual networks, if the value is set to “All networks” under “Allow access from”, go to the Steps for Remediation section.
  6. Repeat the process for other accounts as well.

Steps for Remediation

  1. Login to the Azure portal.
  2. Click on Storage accounts for Services.
  3. Select an account to remediate the issue.
  4. From the navigation bar, select Networking from Security + networking
  5. Under Firewalls and virtual networks, select “Selected networks” under “Allow access from”. 
    1. To configure the virtual networks select +Add existing virtual network or +Add new virtual network.
    2. Under Firewall specify the IP addresses which can access the network from the internet.
    3. Under Resource Instances specify the resource type and instance name if required. Then, select suitable exceptions under Exceptions. 
       
  6. After configuring all the details click on the Save button given at the top of the page.
  7. Repeat the process for other accounts as well.

Please feel free to reach out to support@pingsafe.ai with any questions that you may have.

Thanks

PingSafe Support