Not setting deny as a default rule for a storage account's network access can lead to data leaks
- GG_ID: GG_IAC_0015
- Severity: HIGH
- Complexity: LOW
- Categories: NETWORK
- Providers: Azure
- Potential data exposure: True
- Visible in logs: True
- User interaction required: False
- Privileges required: False
Description#
By setting the default rule of network access to allow, you are leaving your storage
account exposed to unwanted connections. This could allow attackers to bruteforce access
to your storage account, or access it freely in case of credentials leaks.
Impact#
- Data leak.
- Data tampering.
Remediation guidelines#
- Set the default access to
deny. - Identify which Azure Virtual Networks should have access to your storage, and allow them.
- Identify which ranges of IP addresses should have access to your storage, and allow them.