Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
16Dashboards
1651Benchmarks
486Queries
8Variables
GitHub

Control: 9.3.2.2 Ensure that 'Public Network Access' is 'Disabled' for storage accounts

Description

Disable public network access to prevent exposure to the internet and reduce the risk of unauthorized access. Use private endpoints to securely manage access within trusted networks.

Disallowing public network access for a storage account overrides the public access settings for individual containers in that storage account.

Disabling public network access improves security by ensuring that a storage account is not exposed on the public internet.

The default network configuration for a storage account permits a user with appropriate permissions to configure public network access to containers and blobs in a storage account. Keep in mind that public access to a container is always turned off by default and must be explicitly configured to permit anonymous requests. It grants read-only access to these resources without sharing the account key, and without requiring a shared access signature. It is recommended not to provide public network access to storage accounts until, and unless, it is strongly desired. A shared access signature token or Azure AD RBAC should be used for providing controlled and timed access to blob containers.

Remediation

Remediate from Azure Portal

First, follow Microsoft documentation and create shared access signature tokens for your blob containers. Then,

  1. Go to Storage Accounts.
  2. For each storage account, under the Security + networking section, click Networking.
  3. Set Public network access to Disabled.
  4. Click Save.

Remediate from Azure CLI

Set 'Public Network Access' to Disabled on the storage account

az storage account update --name <storage-account> --resource-group <resource-group> --public-network-access Disabled

Remediate from PowerShell

For each Storage Account, run the following to set the PublicNetworkAccess setting to Disabled

Set-AzStorageAccount -ResourceGroupName <resource group name> -Name <storage account name> -PublicNetworkAccess Disabled

Default Value

By default, Public Network Access is set to Enabled from all networks for the Storage Account.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v500_9_3_2_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v500_9_3_2_2 --share

SQL

This control uses a named query:

select
  sa.id as resource,
  case
    when public_network_access = 'Disabled' then 'ok'
    else 'alarm'
  end as status,
  case
    when public_network_access = 'Disabled' then sa.name || ' public network access is disabled.'
    else sa.name || ' public network access is enabled.'
  end as reason
  
  , sa.resource_group as resource_group
  , sub.display_name as subscription
from
  azure_storage_account sa
  left join azure_subscription sub on sub.subscription_id = sa.subscription_id;

Tags

category = Compliance
cis = true
cis_item_id = 9.3.2.2
cis_level = 1
cis_section_id = 9.3.2
cis_type = automated
cis_version = v5.0.0
plugin = azure
service = Azure/Storage