Azure Storage Account 'Trusted Microsoft Services' access not enabled

Description

Some Microsoft services that interact with storage accounts operate from networks that cannot be granted access through network rules. To help this type of service work as intended, you can allow the set of trusted Microsoft services to bypass the network rules. These services will use strong authentication to access the storage account. Allowing trusted Microsoft services grants access to the storage account for the following services: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse (when registered in the subscription). Turning on firewall rules for a storage account will block access to incoming requests for data, including from other Azure services, such as using the portal and writing logs. Functionality can be re-enabled. The customer can get access to services like Monitor, Networking, Hubs, and Event Grid by enabling Trusted Microsoft Services through exceptions. Backup and Restore of Virtual Machines using unmanaged disks in storage accounts with network rules applied is supported by creating an exception.

Code Example

resource "azurerm_storage_account" "example" {
    ...
+   bypass                     = ["AzureServices"]
    }
}

Remediation

Azure Portal To change the policy using the Azure Portal, follow these steps:*

. Log in to the Azure Portal at https://portal.azure.com.

. Navigate to * Storage Accounts*.

. For each storage account: a) Navigate to * Settings* menu. + b) Click * Firewalls and virtual networks*. + c) For selected networks, select * Allow access*. + d) Select * Allow trusted Microsoft services to access this storage account*. + e) To apply changes,click * Save*.

CLI Command*

To update trusted Microsoft services, use the following command:

az storage account update --name & lt;StorageAccountName> --resource-group & lt;resourceGroupName> --bypass AzureServices

=== Fix - Buildtime

Terraform

Resource: azurerm_storage_account azurerm_storage_account_network_rules
Arguments: bypass

Rule Details

Field	Value
ID	IAC-0547
Severity	LOW
IaC Type	arm
Frameworks	ARM,
Checkov ID	CKV_AZURE_36

References

Checkov Rule

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Azure Storage Account 'Trusted Microsoft Services' access not enabled

Description

Code Example

Remediation

To update trusted Microsoft services, use the following command:

az storage account update --name & lt;StorageAccountName> --resource-group & lt;resourceGroupName> --bypass AzureServices

Rule Details

References

SAST Rules

IaC Rules

License Rules

Azure Storage Account 'Trusted Microsoft Services' access not enabled ​

Description ​

Code Example ​

Remediation ​

To update trusted Microsoft services, use the following command: ​

az storage account update --name & lt;StorageAccountName> --resource-group & lt;resourceGroupName> --bypass AzureServices ​

Rule Details ​

References ​

Azure Storage Account 'Trusted Microsoft Services' access not enabled

Description

Code Example

Remediation

To update trusted Microsoft services, use the following command:

az storage account update --name & lt;StorageAccountName> --resource-group & lt;resourceGroupName> --bypass AzureServices

Rule Details

References