Knowledge base / Azure / Azure Storage Account / D9.AZU.NET.24

Ensure default network access rule for Storage Accounts is set to deny

Risk Level: High
Azure Storage Account
Rule ID: D9.AZU.NET.24
Category: Storage
Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed.

gsl logic

StorageAccount should not have networkRuleSet.defaultAction='Allow'

Dome9 rules are powered by the Governance Specification Language (GSL). GSL allows our customers to write and run custom security and compliance checks that can be easily read

Learn more:
Compliance Engine
GSL Language

Remediation

1. Go to Storage Accounts
2. For each storage account, Click on the settings menu called Firewalls and virtual networks.
3. Ensure that you have elected to allow access from Selected networks.
4. Add rules to allow traffic from specific network.
5. Click Save to apply your changes.
Azure Command Line Interface 2.0 Use the below command to update default-action to Deny.
References
https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security

Related Links:
About Azure storage accounts

Azure Storage Account

An Azure storage account provides a unique namespace to store and access your Azure Storage data objects. All objects in a storage account are billed together as a group. By default, the data in your account is available only to you, the account owner.

Compliance Frameworks

CIS140 BP_0318