Control: Storage accounts should restrict network access using virtual network rules
Description
Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.storage_account_restrict_network_accessSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.storage_account_restrict_network_access --shareSQL
This control uses a named query:
select sa.id as resource, case when network_rule_default_action = 'Deny' then 'ok' else 'alarm' end as status, case when network_rule_default_action = 'Deny' then sa.name || ' blocks network access.' else sa.name || ' allows network access.' end as reason , sa.resource_group as resource_group , sub.display_name as subscriptionfrom azure_storage_account sa left join azure_subscription as sub on sub.subscription_id = sa.subscription_id;