Control: Storage accounts should restrict network access
Description
Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.storage_account_default_network_access_rule_deniedSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.storage_account_default_network_access_rule_denied --shareSQL
This control uses a named query:
select sa.id as resource, case when sa.network_rule_default_action = 'Allow' then 'alarm' else 'ok' end as status, case when sa.network_rule_default_action = 'Allow' then name || ' allows traffic from all networks.' else name || ' allows traffic from specific networks.' end as reason , sa.resource_group as resource_group , sub.display_name as subscriptionfrom azure_storage_account sa, azure_subscription subwhere sub.subscription_id = sa.subscription_id;