Azure Introduction
Azure Pricing
Azure Threats
Storage Accounts Allowing Public Traffic
More Info:
Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed.
Risk Level
Medium
Address
Security
Compliance Standards
GDPR, ISO27001, HITRUST, SOC2, NISTCSF, PCIDSS, FedRAMP
Triage and Remediation
Remediation
To remediate the issue of storage accounts allowing public traffic in Azure, you can follow the below steps:
- Open the Azure Portal and navigate to the storage account that is allowing public traffic.
- Click on “Firewalls and virtual networks” under the “Settings” section in the left-hand menu.
- In the “Firewalls and virtual networks” tab, select “Selected networks” under the “Allow access from” section.
- Add the IP addresses or ranges that need access to the storage account.
- Under the “Network connectivity” section, select “Private endpoint” to restrict access to the storage account to only those clients that have a private endpoint in the same virtual network.
- Save the changes.
By following the above steps, you can remediate the issue of storage accounts allowing public traffic in Azure.
To remediate the issue of Azure Storage Accounts allowing public traffic, you can follow the below steps using Azure CLI:
- Open the Azure CLI in your terminal or command prompt.
- Login to your Azure account using the command
az login. - Once you are logged in, select the subscription that contains the storage account using the command
az account set --subscription <subscription-id>. - Identify the storage account that is allowing public traffic using the command
az storage account list. - Once you have identified the storage account, update the network access rule to deny public access using the command
az storage account update --name <storage-account-name> --resource-group <resource-group-name> --default-action Deny.
Note: Replace <subscription-id>, <storage-account-name>, and <resource-group-name> with the actual values from your environment.
After executing the above command, the storage account will be updated to deny public access, and only authorized traffic will be allowed to access the storage account.
To remediate the Azure storage accounts allowing public traffic misconfiguration using Python, you can use the Azure SDK for Python. Follow these steps:
- Install the Azure SDK for Python using pip:
pip install azure-storage-blob
- Import the necessary modules:
from azure.storage.blob import BlockBlobService, PublicAccess
- Initialize the BlockBlobService object with your storage account credentials:
account_name = '<your_account_name>'
account_key = '<your_account_key>'
service = BlockBlobService(account_name=account_name, account_key=account_key)
- Get a list of all containers in the storage account:
containers = service.list_containers()
- For each container, set the public access level to ‘None’:
for container in containers:
service.set_container_acl(container.name, public_access=PublicAccess.None)
- Finally, verify that the public access level for all containers is set to ‘None’:
for container in containers:
acl = service.get_container_acl(container.name)
if acl.public_access != PublicAccess.None:
print(f"Public access still enabled for container {container.name}")
That’s it! With these steps, you should be able to remediate the Azure storage accounts allowing public traffic misconfiguration using Python.