Skip to content

Ensure that Storage accounts disallow public access

Description

As a best practice, do not allow anonymous/public access to storage accounts unless you have a very good reason. The all networks option includes the internet.

Fix - Runtime

In Azure Console

  1. Log in to the Azure portal
  2. Navigate to 'Storage Accounts'
  3. Select the reported storage account
  4. Under 'Security + networking section' section, Select 'Networking'
  5. Under Firewall and virtual networks
  6. Click on 'Change access level'
  7. Set 'Public networks access' to 'anything but 'Enabled from all networks'
  8. Click on Save'

Fix - Buildtime

Terraform

  • Resource: azurerm_storage_account
  • Argument: public_network_access_enabled

go azurerm_storage_account.pike.tf resource "azurerm_storage_account" "pike" { ... + public_network_access_enabled = false ... }