This product is not supported for your selected
Datadog site. (
).
Id: 35e2f133-a395-40de-a79d-b260d973d1bd
Cloud Provider: Azure
Platform: Ansible
Severity: High
Category: Access Control
Learn More
Description
Storage accounts must not allow public network access. Broad network access or open IP ranges expose account endpoints and data to unauthorized access and exfiltration.
For Ansible azure_rm_storageaccount and azure.azcollection.azure_rm_storageaccount tasks, ensure network_acls.default_action is not set to "Allow" (use "Deny"). When default_action is "Deny", the network_acls.ip_rules list must not contain the catch-all "0.0.0.0/0". Resources missing these properties, with default_action='Allow', or with ip_rules containing 0.0.0.0/0 are flagged.
Secure example for an Ansible task:
- name: Create storage account with restricted network access
azure.azcollection.azure_rm_storageaccount:
resource_group: my-rg
name: mystorageacct
location: eastus
network_acls:
default_action: Deny
ip_rules:
- value: 203.0.113.5/32
Compliant Code Examples
- name: configure firewall and virtual networks
azure_rm_storageaccount:
resource_group: myResourceGroup
name: clh0002
type: Standard_RAGRS
network_acls:
bypass: AzureServices,Metrics
default_action: Deny
ip_rules:
- value: 1.2.3.4
action: Allow
Non-Compliant Code Examples
- name: configure firewall and virtual networks
azure_rm_storageaccount:
resource_group: myResourceGroup
name: clh0002
type: Standard_RAGRS
network_acls:
bypass: AzureServices,Metrics
default_action: Deny
ip_rules:
- value: 0.0.0.0/0
action: Allow
- name: configure firewall and more virtual networks
azure_rm_storageaccount:
resource_group: myResourceGroup
name: clh0003
type: Standard_RAGRS
network_acls:
bypass: AzureServices,Metrics
default_action: Allow
