Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create storage2.json #7

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Create storage2.json #7

wants to merge 1 commit into from

Conversation

kartikp10
Copy link

No description provided.

Copy link

@bridgecrew bridgecrew bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bridgecrew has found 4 infrastructure configuration errors in this PR ⬇️

},
"variables": {},
"resources": [
{
Copy link

@bridgecrew bridgecrew bot Jul 13, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH   Ensure 'Trusted Microsoft Services' is enabled for Storage Account access
    Resource: Microsoft.Storage/storageAccounts.[parameters('storageAccountName')] | ID: BC_AZR_NETWORKING_16

How to Fix

resource "azurerm_storage_account" "example" {
    name                     = "example"
    resource_group_name      = data.azurerm_resource_group.example.name
    location                 = data.azurerm_resource_group.example.location
    account_tier             = "Standard"
    account_replication_type = "GRS"
    network_rules {
    default_action             = "Deny"
    ip_rules                   = ["100.0.0.1"]
    virtual_network_subnet_ids = [azurerm_subnet.example.id]
+   bypass                     = ["AzureServices"]
    }
}

Description

Some Microsoft services that interact with storage accounts operate from networks that cannot be granted access through network rules. To help this type of service work as intended, you can allow the set of trusted Microsoft services to bypass the network rules. These services will use strong authentication to access the storage account. Allowing trusted Microsoft services grants access to the storage account for the following services: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse (when registered in the subscription).

Turning on firewall rules for a storage account will block access to incoming requests for data, including from other Azure services, such as using the portal and writing logs. Functionality can be re-enabled. The customer can get access to services like Monitor, Networking, Hubs, and Event Grid by enabling Trusted Microsoft Services through exceptions. Backup and Restore of Virtual Machines using unmanaged disks in storage accounts with network rules applied is supported by creating an exception.

Benchmarks

  • CIS AZURE V1.1 3.8
  • CIS AZURE V1.3 3.7

},
"variables": {},
"resources": [
{
Copy link

@bridgecrew bridgecrew bot Jul 13, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CRITICAL   Ensure default network access rule for Storage Accounts is set to deny
    Resource: Microsoft.Storage/storageAccounts.[parameters('storageAccountName')] | ID: BC_AZR_NETWORKING_15

How to Fix

resource "azurerm_storage_account_network_rules" "test" {
    resource_group_name  = azurerm_resource_group.test.name
    storage_account_name = azurerm_storage_account.test.name

+   default_action             = "Deny"
}

Description

Restricting default network access helps to provide an additional layer of security. By default, storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed.

We recommend you configure storage accounts to deny access to traffic from all networks, including internet traffic. At an appropriate time, access can be granted to traffic from specific Azure Virtual networks, allowing a secure network boundary for specific applications to be built. Access can also be granted to public internet IP address ranges enabling connections from specific internet or on-premises clients. When network rules are configured only applications from allowed networks can access a storage account. When calling from an allowed network applications continue to require authorization, such as a valid access key or SAS token, to access the storage account.

Benchmarks

  • CIS AZURE V1.1 3.7
  • CIS AZURE V1.3 3.6

},
"variables": {},
"resources": [
{
Copy link

@bridgecrew bridgecrew bot Jul 13, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH   Ensure that 'Secure transfer required' is set to 'Enabled'
    Resource: Microsoft.Storage/storageAccounts.[parameters('storageAccountName')] | ID: BC_AZR_STORAGE_1

How to Fix

resource "azurerm_storage_account" "storage_account" {
  name                      = "example"
  resource_group_name       = data.azurerm_resource_group.example.name
  location                  = data.azurerm_resource_group.exam[;e.location
  account_tier              = "Standard"
  account_replication_type  = "GRS"
- enable_https_traffic_only = false
+ enable_https_traffic_only = true
}

Description

Microsoft recommends that you always require secure transfer for all of your storage accounts. When secure transfer is required a call to an Azure Storage REST API operation must be made over HTTPS. A request made over HTTP is rejected.

We recommend you configure Azure Blob storage to accept requests from secure connections only. This is achieved by setting the Secure Transfer Required property. When you require secure transfer, any requests originating from an insecure connection are rejected.

Benchmarks

  • CIS AZURE V1.1 3.1
  • CIS AZURE V1.3 3.1

"kind": "[parameters('kind')]",
"tags": {},
"resources": [
{
Copy link

@bridgecrew bridgecrew bot Jul 13, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CRITICAL   Ensure that 'Public access level' is set to Private for blob containers
    Resource: blobServices/containers.[concat('default/', parameters('containerName'))] | ID: BC_AZR_NETWORKING_14

How to Fix

resource "azurerm_storage_container" "example" {
    name                  = "vhds"
    storage_account_name  = azurerm_storage_account.example.name
+   container_access_type = "private"
}

Description

Anonymous, public read access to a container and its blobs can be enabled in Azure Blob storage. It grants read-only access to these resources without sharing the account key or requiring a shared access signature.

We recommend you do not provide anonymous access to blob containers until, and unless, it is strongly desired. A shared access signature token should be used for providing controlled and timed access to blob containers.

Benchmarks

  • CIS AZURE V1.1 3.6
  • CIS AZURE V1.3 3.5

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

1 participant