Ensure that your Microsoft Azure Storage account is configured to deny access to traffic from all networks (including Internet traffic). By restricting access to your storage account default network, you add a new layer of security, since the default action is to accept connections from clients on any network. To limit access to selected networks or IP addresses, you must first change the default action from "Allow" to "Deny".
This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure
The access to your storage account should be granted to specific Azure Virtual Networks, which allows a secure network boundary for specific applications, or to public IP address ranges, which can enable connections from specific Internet services or on-premises clients. When network rules are configured, only applications from allowed networks or IPs can access your storage resources. When requesting access from an allowed network and/or IP address, a client/application should provide proper authorization, i.e. a valid access key or a Shared Access Signatures (SAS) token, to access the storage account.
Note: Making changes to network rules can impact your applications' ability to connect to the Azure Storage account. Make sure to grant access to any allowed networks using network rules or IP ranges using firewalls, before you change the default rule in order to deny access.
To determine if the default network access is restricted for your storage accounts, perform the following actions:
Remediation / Resolution
To restrict default network access for your Microsoft Azure Storage accounts, perform the following actions:
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
You are auditing:
Restrict Default Network Access for Storage Accounts
Risk level: Medium