Local users used for Azure Storage
Description
This policy detects whether local users are used within Azure Storage accounts. Local users can pose a security risk as they may have direct access to the storage account, which could lead to unauthorized data access or compromise if their credentials are exposed or not managed securely. The best practice is to use Azure Active Directory (AD) identities or managed identities for access control. Azure AD offers advanced security features, centralized management, and stronger authentication methods, reducing the risk of unauthorized access compared to local users, which rely solely on static credentials.
Code Example
resource "azurerm_storage_account" "fail" {
...
- local_user_enabled = true
+ local_user_enabled = false
}Remediation
Terraform
- Resource: azurerm_storage_account
- Arguments: local_user_enabled
Use Azure Active Directory or other centralized identity management solutions to control access to Azure Storage accounts. Relying on Azure AD reduces the dependency on static credentials. Avoid using local users, as they depend on static credentials, which can be less secure and harder to manage.
In this example, the configuration of the Azure Storage account is modified to disable the use of local users by switching the `local_user_enabled` setting from `true` to `false`, ensuring the use of centralized identity management.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0751 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AZURE_244 |