'Trusted Microsoft Services' should be enabled for Storage Account access

Docs > Datadog Security > OOTB Rules > 'Trusted Microsoft Services' should be enabled for Storage Account access

Warning: This rule will be deprecated 18 December 2023 as part of the update to Azure CIS version 2.0.0

Description

Some Microsoft services that interact with storage accounts operate from networks that can’t be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services use strong authentication to access the storage account. If Allow trusted Microsoft services exception is enabled, the following services, when registered in the subscription, are granted access to the storage account: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse.

Rationale

Turning on firewall rules for storage account blocks access to incoming requests for data, including from other Azure services. This includes using the portal, writing logs, etc. You can re-enable access to services like Monitor, Networking, Hubs, and Event Grid by enabling Trusted Microsoft Services through exceptions. The exception also supports backing up and restoring virtual machines using unmanaged disks in storage accounts with network rules applied.

Remediation

From the console

Go to Storage Accounts
For each storage account, click on the settings menu called Firewalls and Virtual Networks.
Ensure that Allow access from selected networks is enabled.
Enable Allow trusted Microsoft services to access this storage account.
Click Save to apply your changes.

From the command line

Use the following command to update trusted Microsoft services: az storage account update --name <StorageAccountName> --resource-group <resourceGroupName> --bypass AzureServices