Limit Storage Account Access by IP Address

Risk Level: Medium (should be achieved)

Rule ID: StorageAccounts-014

Ensure that the access to your Microsoft Azure Storage blobs, files, tables and queues is limited only to specific (trusted) public IP address and/or IP address range in order to protect your data against unauthorized access. Prior to running this conformity rule by the Cloud Conformity engine, you need to specify the list of public IPv4 addresses and/or IPv4 address ranges that are allowed to access your storage account, within the rule settings, on your Cloud Conformity account console.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Allowing untrustworthy access to your Microsoft Azure Storage account can lead to unauthorized actions such as reading, uploading, modifying or deleting data. To prevent data exposure, data loss or unexpected charges on your Azure monthly bill, make sure that your storage account is accessible only to a short list of safelisted IP addresses representing account administrators, trusted internet-based services and/or specific on-premises networks.

Audit

To determine if the access to your storage account is restricted to specific (trusted) IP addresses/IP address ranges, perform the following actions:

Using Azure Portal

01 Sign in to your Cloud Conformity console, access Limit Storage Account Access by IP Address conformity rule settings and identify the list of trusted public IPv4 addresses/ranges defined for your Azure Storage accounts.

02 Sign in to Azure Management Console.

03 Navigate to Azure Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts.

04 Click on the name of the Azure Storage account that you want to examine.

05 In the navigation panel, under Settings, select Firewalls and virtual networks to access the network security configuration settings available for the selected storage account.

06 On the Firewalls and virtual networks page, under Allow access from, make sure that the Selected networks option is active for the appropriate network access configuration, then check the IPv4 address(es) and/or IPv4 range(s) available in the Address range list. Compare the Address range list with the one identified at step no. 1. If not all IPv4 addresses defined within the Address range list are safelisted, the access to the selected Azure Storage account is not restricted to specific (trusted) IP addresses/IP ranges.

07 Repeat steps no. 4 – 6 for each storage account available within the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

02 Run storage account list command (Windows/macOS/Linux) using custom query filters to describe the name of each storage account without all networks access provisioned in the current Azure subscription:

az storage account list
    --query '[?networkRuleSet.defaultAction==`Deny`].name'

03 The command output should return the requested storage account names:

[
  "abcd1234abcd1234abcd1234",
  "abcdabcdabcd123412341234",
  "123412341234abcdabcdabcd"
]

04 Run storage account show command (Windows/macOS/Linux) using the name of the storage account that you want to examine as identifier parameter and custom query filters to return the list with the public IPv4 address(es) and/or IPv4 range(s) allowed to access the selected storage account:

az storage account show
    --name abcd1234abcd1234abcd1234
    --query 'networkRuleSet.ipRules[?(action==`Allow`)].ipAddressOrRange'

05 The command output should return the list with all the IPv4 addresses allowed to access your storage account:

[
  "16.17.18.19",
  "17.18.19.20",
  "16.17.18.0/24"
]

Compare the IPs list returned by the storage account show command output with the one identified at step no. 1. If not all IPv4 addresses returned at the previous step are safelisted within the rule configuration settings, access to the selected Microsoft Amazon Storage account is not restricted to trusted IP addresses/IP ranges only.

06 Repeat step no. 4 and 5 for each storage account available in the current Azure subscription.

07 Repeat steps no. 2 – 6 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To restrict your Azure Storage account network access to specific (trusted) IP addresses and/or IP ranges, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to Azure Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts.

03 Click on the name of the Azure Storage account that you want to reconfigure.

04 In the navigation panel, under Settings, select Firewalls and virtual networks to access the network security configuration settings available for the selected storage account.

05 On the Firewalls and virtual networks page, in the Firewall section, remove each IPv4 address and/or IPv4 range from the Address range list that is not safelisted within the rule configuration settings, on your Cloud Conformity account console. Once the Address range list is properly configured to reflect the IP safelist for the selected storage account, click Save to apply the changes.

06 Repeat steps no. 3 – 5 for each Azure Storage account available in the selected subscription.

07 Repeat steps no. 3 – 7 for each subscription created within your Microsoft Azure cloud account.

Using Azure CLI

01 Run storage account network-rule remove command (Windows/macOS/Linux) using the IPv4 address and/or IPv4 range that you want to blocklist as value for the --ip-address command parameter to remove the untrusted public IP address/range from the selected Microsoft Azure Storage account firewall. The following storage account network-rule remove command request blocklists the "17.18.19.20" public IPv4 address:

az storage account network-rule remove
    --account-name abcd1234abcd1234abcd1234
    --ip-address 17.18.19.20

02 The command output should return the metadata available for the reconfigured Microsoft Azure Storage account:

{
  "accessTier": "Hot",
  "azureFilesIdentityBasedAuthentication": null,
  "creationTime": "2019-08-20T14:11:12.357061+00:00",
  "enableHttpsTrafficOnly": true,
  "kind": "StorageV2",
  "largeFileSharesState": null,
  "location": "westeurope",
  "name": "abcd1234abcd1234abcd1234",
  "networkRuleSet": {
    "bypass": "None",
    "defaultAction": "Deny",
    "ipRules": [
      {
        "action": "Allow",
        "ipAddressOrRange": "16.17.18.19"
      },
      {
        "action": "Allow",
        "ipAddressOrRange": "16.17.18.0/24"
      }
    ],
    "virtualNetworkRules": []
  },

  ...

  "primaryLocation": "westeurope",
  "provisioningState": "Succeeded",
  "resourceGroup": "cloud-shell-storage-westeurope",
  "secondaryEndpoints": null,
  "secondaryLocation": null,
  "sku": {
    "capabilities": null,
    "kind": null,
    "locations": null,
    "name": "Standard_LRS",
    "resourceType": null,
    "restrictions": null,
    "tier": "Standard"
  },
  "statusOfPrimary": "available",
  "statusOfSecondary": null,
  "tags": {
    "ms-resource-usage": "azure-cloud-shell"
  },
  "type": "Microsoft.Storage/storageAccounts"
}

03 Repeat step no. 1 and 2 for each storage account available in the current subscription.

04 Repeat steps no. 1 – 3 for each subscription created within your Microsoft Azure cloud account.

References

Azure Official Documentation
Manage storage account access keys
Configure Azure Storage firewalls and virtual networks

Publication date Dec 19, 2019

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

Limit Storage Account Access by IP Address

Risk Level: Medium

Audit

Using Azure Portal

Using Azure CLI

Remediation / Resolution

Using Azure Portal

Using Azure CLI

References

Related StorageAccounts rules