-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create storage2.json #7
base: master
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Bridgecrew has found 4 infrastructure configuration errors in this PR ⬇️
}, | ||
"variables": {}, | ||
"resources": [ | ||
{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ensure 'Trusted Microsoft Services' is enabled for Storage Account access
Resource: Microsoft.Storage/storageAccounts.[parameters('storageAccountName')] | ID: BC_AZR_NETWORKING_16
How to Fix
resource "azurerm_storage_account" "example" {
name = "example"
resource_group_name = data.azurerm_resource_group.example.name
location = data.azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "GRS"
network_rules {
default_action = "Deny"
ip_rules = ["100.0.0.1"]
virtual_network_subnet_ids = [azurerm_subnet.example.id]
+ bypass = ["AzureServices"]
}
}
Description
Some Microsoft services that interact with storage accounts operate from networks that cannot be granted access through network rules. To help this type of service work as intended, you can allow the set of trusted Microsoft services to bypass the network rules. These services will use strong authentication to access the storage account. Allowing trusted Microsoft services grants access to the storage account for the following services: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse (when registered in the subscription).Turning on firewall rules for a storage account will block access to incoming requests for data, including from other Azure services, such as using the portal and writing logs. Functionality can be re-enabled. The customer can get access to services like Monitor, Networking, Hubs, and Event Grid by enabling Trusted Microsoft Services through exceptions. Backup and Restore of Virtual Machines using unmanaged disks in storage accounts with network rules applied is supported by creating an exception.
Benchmarks
- CIS AZURE V1.1 3.8
- CIS AZURE V1.3 3.7
}, | ||
"variables": {}, | ||
"resources": [ | ||
{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ensure default network access rule for Storage Accounts is set to deny
Resource: Microsoft.Storage/storageAccounts.[parameters('storageAccountName')] | ID: BC_AZR_NETWORKING_15
How to Fix
resource "azurerm_storage_account_network_rules" "test" {
resource_group_name = azurerm_resource_group.test.name
storage_account_name = azurerm_storage_account.test.name
+ default_action = "Deny"
}
Description
Restricting default network access helps to provide an additional layer of security. By default, storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed.We recommend you configure storage accounts to deny access to traffic from all networks, including internet traffic. At an appropriate time, access can be granted to traffic from specific Azure Virtual networks, allowing a secure network boundary for specific applications to be built. Access can also be granted to public internet IP address ranges enabling connections from specific internet or on-premises clients. When network rules are configured only applications from allowed networks can access a storage account. When calling from an allowed network applications continue to require authorization, such as a valid access key or SAS token, to access the storage account.
Benchmarks
- CIS AZURE V1.1 3.7
- CIS AZURE V1.3 3.6
}, | ||
"variables": {}, | ||
"resources": [ | ||
{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ensure that 'Secure transfer required' is set to 'Enabled'
Resource: Microsoft.Storage/storageAccounts.[parameters('storageAccountName')] | ID: BC_AZR_STORAGE_1
How to Fix
resource "azurerm_storage_account" "storage_account" {
name = "example"
resource_group_name = data.azurerm_resource_group.example.name
location = data.azurerm_resource_group.exam[;e.location
account_tier = "Standard"
account_replication_type = "GRS"
- enable_https_traffic_only = false
+ enable_https_traffic_only = true
}
Description
Microsoft recommends that you always require secure transfer for all of your storage accounts. When secure transfer is required a call to an Azure Storage REST API operation must be made over HTTPS. A request made over HTTP is rejected.We recommend you configure Azure Blob storage to accept requests from secure connections only. This is achieved by setting the Secure Transfer Required property. When you require secure transfer, any requests originating from an insecure connection are rejected.
Benchmarks
- CIS AZURE V1.1 3.1
- CIS AZURE V1.3 3.1
"kind": "[parameters('kind')]", | ||
"tags": {}, | ||
"resources": [ | ||
{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ensure that 'Public access level' is set to Private for blob containers
Resource: blobServices/containers.[concat('default/', parameters('containerName'))] | ID: BC_AZR_NETWORKING_14
How to Fix
resource "azurerm_storage_container" "example" {
name = "vhds"
storage_account_name = azurerm_storage_account.example.name
+ container_access_type = "private"
}
Description
Anonymous, public read access to a container and its blobs can be enabled in Azure Blob storage. It grants read-only access to these resources without sharing the account key or requiring a shared access signature.We recommend you do not provide anonymous access to blob containers until, and unless, it is strongly desired. A shared access signature token should be used for providing controlled and timed access to blob containers.
Benchmarks
- CIS AZURE V1.1 3.6
- CIS AZURE V1.3 3.5
No description provided.