Public storage account

이 제품은 선택한 Datadog 사이트에서 지원되지 않습니다. ().
이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

Id: ansible-azure-public-storage-account

Cloud Provider: Azure

Platform: Ansible

Severity: High

Category: Access Control

Learn More

Description

Storage accounts must not allow public network access. Broad network access or open IP ranges expose account endpoints and data to unauthorized access and exfiltration.

For Ansible azure_rm_storageaccount and azure.azcollection.azure_rm_storageaccount tasks, ensure network_acls.default_action is not set to "Allow" (use "Deny"). When default_action is "Deny", the network_acls.ip_rules list must not contain the catch-all "0.0.0.0/0". Resources missing these properties, with default_action='Allow', or with ip_rules containing 0.0.0.0/0 are flagged.

Secure example for an Ansible task:

- name: Create storage account with restricted network access
  azure.azcollection.azure_rm_storageaccount:
    resource_group: my-rg
    name: mystorageacct
    location: eastus
    network_acls:
      default_action: Deny
      ip_rules:
        - value: 203.0.113.5/32

Compliant Code Examples

- name: configure firewall and virtual networks
  azure_rm_storageaccount:
    resource_group: myResourceGroup
    name: clh0002
    type: Standard_RAGRS
    network_acls:
      bypass: AzureServices,Metrics
      default_action: Deny
      ip_rules:
      - value: 1.2.3.4
        action: Allow

Non-Compliant Code Examples

- name: configure firewall and virtual networks
  azure_rm_storageaccount:
    resource_group: myResourceGroup
    name: clh0002
    type: Standard_RAGRS
    network_acls:
      bypass: AzureServices,Metrics
      default_action: Deny
      ip_rules:
        - value: 0.0.0.0/0
          action: Allow
- name: configure firewall and more virtual networks
  azure_rm_storageaccount:
    resource_group: myResourceGroup
    name: clh0003
    type: Standard_RAGRS
    network_acls:
      bypass: AzureServices,Metrics
      default_action: Allow