For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/ansible/azure/default_azure_storage_account_network_access_is_too_permissive.md. A documentation index is available at /llms.txt.

Default Azure storage account network access is too permissive

This product is not supported for your selected Datadog site. ().

Metadata

Id: ca4df748-613a-4fbf-9c76-f02cbd580307

Cloud Provider: Azure

Platform: Ansible

Severity: High

Category: Access Control

Learn More

Description

Storage accounts must not permit broad public access or use a permissive default ACL. Public network access or a default-allow policy can expose blobs, queues, and file storage to unauthorized users, increasing the risk of data exfiltration.

For Ansible resources using azure.azcollection.azure_rm_storageaccount or azure_rm_storageaccount, explicitly set public_network_access to Disabled and set network_acls.default_action to Deny. Resources that omit public_network_access (the default is Enabled), that set public_network_access: Enabled, or that set network_acls.default_action: Allow are flagged.

Secure configuration example:

- name: Create secure Azure Storage Account
  azure_rm_storageaccount:
    resource_group: my-rg
    name: mystorageacct
    location: eastus
    public_network_access: Disabled
    network_acls:
      default_action: Deny

Compliant Code Examples

---
- name: create an account
  azure.azcollection.azure_rm_storageaccount:
    resource_group: myResourceGroup
    name: clh0002
    type: Standard_RAGRS
    tags:
      testing: testing
      delete: on-exit
    network_acls:
      default_action: Deny

---
- name: create an account
  azure.azcollection.azure_rm_storageaccount:
    resource_group: myResourceGroup
    name: clh0002
    type: Standard_RAGRS
    tags:
      testing: testing
      delete: on-exit
    public_network_access: Disabled

Non-Compliant Code Examples

---
- name: create an account
  azure.azcollection.azure_rm_storageaccount:
    resource_group: myResourceGroup
    name: clh0002
    type: Standard_RAGRS
    tags:
      testing: testing
      delete: on-exit

---
- name: create an account
  azure.azcollection.azure_rm_storageaccount:
    resource_group: myResourceGroup
    name: clh0002
    type: Standard_RAGRS
    tags:
      testing: testing
      delete: on-exit
    network_acls:
      default_action: Allow

---
- name: create an account
  azure.azcollection.azure_rm_storageaccount:
    resource_group: myResourceGroup
    name: clh0002
    type: Standard_RAGRS
    tags:
      testing: testing
      delete: on-exit
    public_network_access: Enabled