v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/azure_compliance
Overview
13Dashboards
1311Controls
430Queries
2Variables
GitHub

Control: 4.8 Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access

Description

NOTE: This recommendation assumes that the Public network access parameter is set to Enabled from selected virtual networks and IP addresses. Please ensure the prerequisite recommendation has been implemented before proceeding:

  • Ensure Default Network Access Rule for Storage Accounts is Set to Deny.

Some Azure services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Azure services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow Azure services on the trusted services list to access this storage account exception is enabled, the following services are granted access to the storage account: Azure Backup, Azure Data Box, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure File Sync, Azure HDInsight, Azure Import/Export, Azure Monitor, Azure Networking Services, and Azure Site Recovery (when registered in the subscription).

Turning on firewall rules for a storage account will block access to incoming requests for data, including from other Azure services. We can re-enable this functionality by allowing access to trusted Azure services through networking exceptions.

Remediation

From Azure Portal

  1. Go to Storage Accounts.
  2. For each storage account, under Security + networking, click Networking.
  3. Click on the Firewalls and virtual networks heading.
  4. Under Exceptions, check the box next to Allow Azure services on the trusted services list to access this storage account.
  5. Click Save.

From Azure CLI

Use the below command to update bypass to Azure services.

az storage account update --name <StorageAccountName> --resource-group <resourceGroupName> --bypass AzureServices

Default Value

By default, Storage Accounts will accept connections from clients on any network.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v300_4_8

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v300_4_8 --share

SQL

This control uses a named query:

storage_account_trusted_microsoft_services_enabled

Tags

category = Compliance
cis = true
cis_item_id = 4.8
cis_level = 2
cis_section_id = 4
cis_type = automated
cis_version = v3.0.0
plugin = azure
service = Azure/Storage