Risk Level: Low
Description
This plugin ensures that Trusted Microsoft Services Access is enabled on Storage Accounts. Enabling firewall rules on Storage Accounts blocks all access by default. To ensure that Microsoft and Azure services that connect to the Storage Account still retain access, trusted Microsoft services should be allowed to access the storage account.
About the Service
Storage Accounts: An azure storage account is used to store the customer’s data objects such as files, queues, shares, etc. The storage accounts ensure high availability for the clients and allot a unique namespace for the storage data and are accessible from anywhere around the world using HTTP or HTTPS protocols.
Impact
In the case of Microsoft Service, access is disabled, the firewall will by default block all the services causing inaccessibility of Microsoft services as well which may interfere with the product service availability and speedy delivery.
Steps to Reproduce
- Log in to the Azure portal.
- Click on Storage accounts for Services.
- Select a storage account to check for the issue.
- From the navigation bar, select Networking from Security+Networking.
- By default, the Firewall and Virtual networks tab is opened, go to the Exceptions section, if the “Allow Azure services on the trusted services list to access this storage account” is not selected, visit the Steps to Remediation section.
- Repeat for other storage accounts' logs containers as well.
Steps for Remediation
- Log in to the Azure portal.
- Click on Storage accounts for Services.
- Select any one of the storage accounts to check for the issue.
- From the navigation bar, select Networking from Security+Networking.
- By default, the Firewall and Virtual networks tab is opened, go to the Exceptions section, and check the “Allow Azure services on the trusted services list to access this storage account” box. Click on the Save button given on top.
- Repeat for other storage account’s logs container as well.
Please feel free to reach out to support@pingsafe.ai with any questions that you may have.
Thanks
PingSafe Support