Azure Storage account is not configured with private endpoint connection
Description
This policy is designed to ensure that a storage account is properly configured with a private endpoint. The private endpoint facilitates a secure connection over a private network, rather than the public internet.
If a storage account is not configured with a private endpoint, it poses a security risk as it might be accessible over the public internet. Unauthorized third parties could potentially gain access to the stored data, which may contain sensitive or proprietary information. Hence, it's crucial for the storage account to be properly configured with a private endpoint to maintain network security and data privacy.
Code Example
hcl
resource "azurerm_storage_account" "example" {
name = "examplestoracc"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "GRS"
enable_https_traffic_only = true
}
resource "azurerm_private_endpoint" "example" {
name = "example_private_endpoint"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
subnet_id = azurerm_subnet.example.id
private_service_connection {
name = "example_psc"
is_manual_connection = false
private_connection_resource_id = azurerm_storage_account.example.id
subresource_names = ["blob"]
}
}Remediation
Terraform
- Resource: azurerm_storage_account, azurerm_private_endpoint
To fix this issue, configure your Azure storage account with a private endpoint.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0790 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV2_AZURE_33 |