Control: Default network access rule for storage accounts should be set to deny

Description

Restricting default network access provides an additional layer of security by only allowing connections from explicitly allowed networks.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.storage_account_default_network_access_deny

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.storage_account_default_network_access_deny --share

SQL

This control uses a named query:

select
  sa.id as resource,
  case
    when network_rule_default_action = 'Deny' then 'ok'
    else 'alarm'
  end as status,
  case
    when network_rule_default_action = 'Deny' then sa.name || ' default network access rule set to deny.'
    else sa.name || ' default network access rule not set to deny.'
  end as reason
  
  , sa.resource_group as resource_group
  , sub.display_name as subscription
from
  azure_storage_account sa,
  azure_subscription sub
where
  sub.subscription_id = sa.subscription_id;

Control: Default network access rule for storage accounts should be set to deny

Description

Usage

SQL

Tags