Azure Storage Account storing Machine Learning workspace high business impact data is publicly accessible
Description
This policy checks whether Azure Storage Accounts for Machine Learning workspaces are publicly accessible. Public access to these accounts storing sensitive business data poses a significant security risk. Leaks or misuse could lead to financial and reputational damage. By ensuring private access, this policy safeguards data confidentiality and integrity.
Code Example
go
resource "azurerm_storage_account" "pass" {
...
public_network_access_enabled = false
}
resource "azurerm_machine_learning_workspace" "pass2" {
...
storage_account_id = azurerm_storage_account.pass.id
...
high_business_impact = true
}Remediation
Terraform
- Resource: azurerm_machine_learning_workspace,azurerm_storage_account
- Arguments: public_network_access_enabled,high_business_impact
- Block all network access using storage account network rules.
- Grant access only to authorized users by adding exceptions for specific IP addresses or ranges.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0807 |
| Severity | HIGH |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV2_AZURE_50 |