Not setting deny as a default rule for a storage account's network access can lead to data leaks

Severity	Exploitability	Providers	Categories
HIGH	HIGH	Azure	NETWORK

Description

By setting the default rule of network access to allow, you are leaving your storage account exposed to unwanted connections. This could allow attackers to bruteforce access to your storage account, or access it freely in case of credentials leaks.

Impact

Potential data exposure	Visible in logs	User interaction required	Privileges required
True	True	False	False

• Data leak.
• Data tampering.

Remediation guidelines

• Set the default access to deny.
• Identify which Azure Virtual Networks should have access to your storage, and allow them.
• Identify which ranges of IP addresses should have access to your storage, and allow them.

References

• Configure Azure Firewall rules (Azure doc)
• Azure network security rule (terraform)

Was this page helpful?