Ensure Storage Sync Service is not configured with overly permissive network access
Description
This policy checks whether the Storage Sync Service is configured with overly permissive network access. It verifies if the 'incoming_traffic_policy' is set to 'AllowAllTraffic', which could potentially expose the service to unauthorized access. Restricting incoming traffic is essential to prevent malicious activities and ensure the security of the Storage Sync Service. By failing this check, the service may be vulnerable to attacks.
Code Example
terraform
resource "azurerm_storage_sync" "example" {
name = "example"
resource_group_name = "example"
location = "example"
incoming_traffic_policy = "AllowVirtualNetworksOnly"
}Remediation
Ensure the Storage Sync Service is configured with restricted network access by setting the 'incoming_traffic_policy' to a more restrictive policy, such as 'AllowVirtualNetworksOnly' or specifying allowed IP addresses.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0757 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | azurerm_storage_sync |
| Checkov ID | CKV_AZURE_250 |