MEDIUM
Source
CloudSploit
ID
network-access-default-action

Network Access Default Action

Ensures that Storage Account access is restricted to trusted networks

Storage Accounts should be configured to accept traffic only from trusted networks. By default, all networks are selected but can be changed when creating a new storage account or in the firewall settings.

Follow the appropriate remediation steps below to resolve the issue.

  1. Log in to the Microsoft Azure Management Console.

  2. Select the “Search resources, services, and docs” option at the top and search for “Storage accounts”. Step

  3. Select the “Storage account” by clicking on the “Name” link to access the configuration page. Step

  4. Scroll down the selected “Storage account” navigation panel and click on “Networking” under “Security + networking”.Step

  5. Once on the “Networking page” click on tab “Firewalls and virtual networks”. Step

  6. On the “Firewalls and virtual networks” tab check the option selected under “Public network access”. If “Enabled from all networks” is selected then the selected “Storage account” access is not restricted to trusted networks. Step

  7. To restrict the selected storage account’s access to all networks, under “Public network access” select option “Enabled from selected virtual networks and IP addresses” and choose the trusted “Virtual Network”.Step

  8. Click on “Save” button at the top to make the changes.Step

  9. Repeat step number 3 - 8 to ensure that “Storage account” access is restricted to trusted networks.