--- title: Default Azure storage account network access is too permissive description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Default Azure storage account network access is too permissive --- # Default Azure storage account network access is too permissive {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `terraform-azure-default-azure-storage-account-network-access-is-too-permissive` **Provider:** Azure **Platform:** Terraform **Severity:** Medium **Category:** Insecure Defaults #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules#default_action) ### Description{% #description %} Azure storage accounts should have their default network access action set to `Deny` to prevent unauthorized or public access to storage resources. If the `network_rules { default_action = "Allow" }` attribute is used, as shown below, storage accounts can be accessed from any network by default, increasing the risk of data breaches or unauthorized data manipulation. ``` network_rules { default_action = "Allow" } ``` To mitigate this risk, configure `network_rules { default_action = "Deny" }`, ensuring only explicitly allowed networks and IPs can access the storage account. ## Compliant Code Examples{% #compliant-code-examples %} ```terraform resource "azurerm_resource_group" "example" { name = "example-resources" location = "West Europe" } resource "azurerm_virtual_network" "negative1" { name = "virtnetname" address_space = ["10.0.0.0/16"] location = azurerm_resource_group.example.location resource_group_name = azurerm_resource_group.example.name } resource "azurerm_subnet" "negative1" { name = "subnetname" resource_group_name = azurerm_resource_group.example.name virtual_network_name = azurerm_virtual_network.negative1.name address_prefixes = ["10.0.2.0/24"] service_endpoints = ["Microsoft.Sql", "Microsoft.Storage"] } resource "azurerm_storage_account" "negative1" { name = "storageaccountname" resource_group_name = azurerm_resource_group.example.name location = azurerm_resource_group.example.location account_tier = "Standard" account_replication_type = "LRS" network_rules { default_action = "Deny" ip_rules = ["100.0.0.1"] virtual_network_subnet_ids = [azurerm_subnet.negative1.id] } tags = { environment = "staging" } } ``` ```terraform resource "azurerm_resource_group" "example" { name = "negative2-resources" location = "West Europe" } resource "azurerm_virtual_network" "negative2" { name = "negative2-vnet" address_space = ["10.0.0.0/16"] location = azurerm_resource_group.example.location resource_group_name = azurerm_resource_group.example.name } resource "azurerm_subnet" "negative2" { name = "negative2-subnet" resource_group_name = azurerm_resource_group.example.name virtual_network_name = azurerm_virtual_network.negative2.name address_prefixes = ["10.0.2.0/24"] service_endpoints = ["Microsoft.Storage"] } resource "azurerm_storage_account" "negative2" { name = "storageaccountname" resource_group_name = azurerm_resource_group.example.name location = azurerm_resource_group.example.location account_tier = "Standard" account_replication_type = "GRS" tags = { environment = "staging" } } resource "azurerm_storage_account_network_rules" "negative2" { resource_group_name = azurerm_resource_group.example.name storage_account_name = azurerm_storage_account.negative2.name storage_account_id = azurerm_storage_account.negative2.id default_action = "Deny" ip_rules = ["127.0.0.1"] virtual_network_subnet_ids = [azurerm_subnet.negative2.id] bypass = ["Metrics"] } resource "azurerm_storage_account_network_rules" "negative2b" { resource_group_name = azurerm_resource_group.example.name storage_account_name = azurerm_storage_account.negative3.name storage_account_id = azurerm_storage_account.negative3.id default_action = "Deny" ip_rules = ["127.0.0.1"] virtual_network_subnet_ids = [azurerm_subnet.negative2.id] bypass = ["Metrics"] } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```terraform resource "azurerm_resource_group" "example" { name = "positive1-resources" location = "West Europe" } resource "azurerm_virtual_network" "positive1" { name = "virtnetname" address_space = ["10.0.0.0/16"] location = azurerm_resource_group.example.location resource_group_name = azurerm_resource_group.example.name } resource "azurerm_subnet" "positive1" { name = "subnetname" resource_group_name = azurerm_resource_group.example.name virtual_network_name = azurerm_virtual_network.positive1.name address_prefixes = ["10.0.2.0/24"] service_endpoints = ["Microsoft.Sql", "Microsoft.Storage"] } resource "azurerm_storage_account" "positive1" { name = "positive1storageaccount" resource_group_name = azurerm_resource_group.example.name location = azurerm_resource_group.example.location account_tier = "Standard" account_replication_type = "LRS" network_rules { default_action = "Allow" ip_rules = ["100.0.0.1"] virtual_network_subnet_ids = [azurerm_subnet.positive1.id] } tags = { environment = "staging" } } ``` ```terraform resource "azurerm_resource_group" "example" { name = "positive2-resources" location = "West Europe" } resource "azurerm_virtual_network" "positive2" { name = "positive2-vnet" address_space = ["10.0.0.0/16"] location = azurerm_resource_group.example.location resource_group_name = azurerm_resource_group.example.name } resource "azurerm_subnet" "positive2" { name = "positive2-subnet" resource_group_name = azurerm_resource_group.example.name virtual_network_name = azurerm_virtual_network.positive2.name address_prefixes = ["10.0.2.0/24"] service_endpoints = ["Microsoft.Storage"] } resource "azurerm_storage_account" "positive2" { name = "positive2storageaccount" resource_group_name = azurerm_resource_group.example.name location = azurerm_resource_group.example.location account_tier = "Standard" account_replication_type = "GRS" tags = { environment = "staging" } } resource "azurerm_storage_account_network_rules" "positive2" { resource_group_name = azurerm_resource_group.example.name storage_account_name = azurerm_storage_account.positive2.name storage_account_id = azurerm_storage_account.positive2.id default_action = "Allow" ip_rules = ["127.0.0.1"] virtual_network_subnet_ids = [azurerm_subnet.positive2.id] bypass = ["Metrics"] } ``` ```terraform resource "azurerm_resource_group" "example" { name = "example-resources" location = "West Europe" } resource "azurerm_storage_account" "positive3" { name = "positive3storageaccount" resource_group_name = azurerm_resource_group.example.name location = azurerm_resource_group.example.location account_tier = "Standard" account_replication_type = "GRS" public_network_access_enabled = true tags = { environment = "staging" } } ```