Ensure Azure Storage Account Trusted Microsoft Services access is enabled

Error: Azure Storage Account Trusted Microsoft Services access is not enabled

Bridgecrew Policy ID: BC_AZR_NETWORKING_16
Checkov Check ID: CKV_AZURE_36
Severity: MEDIUM

Azure Storage Account Trusted Microsoft Services access is not enabled

Description

Some Microsoft services that interact with storage accounts operate from networks that cannot be granted access through network rules. To help this type of service work as intended, you can allow the set of trusted Microsoft services to bypass the network rules. These services will use strong authentication to access the storage account. Allowing trusted Microsoft services grants access to the storage account for the following services: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse (when registered in the subscription).

Turning on firewall rules for a storage account will block access to incoming requests for data, including from other Azure services, such as using the portal and writing logs. Functionality can be re-enabled. The customer can get access to services like Monitor, Networking, Hubs, and Event Grid by enabling Trusted Microsoft Services through exceptions. Backup and Restore of Virtual Machines using unmanaged disks in storage accounts with network rules applied is supported by creating an exception.

Fix - Runtime

Azure Portal

To change the policy using the Azure Portal, follow these steps:

  1. Log in to the Azure Portal at https://portal.azure.com.
  2. Navigate to Storage Accounts.
  3. For each storage account:
    a) Navigate to Settings menu.
    b) Click Firewalls and virtual networks.
    c) For selected networks, select Allow access.
    d) Select Allow trusted Microsoft services to access this storage account.
    e) To apply changes,click Save.

CLI Command

To update trusted Microsoft services, use the following command:

az storage account update 
--name <StorageAccountName> 
--resource-group <resourceGroupName> 
--bypass AzureServices

Fix - Buildtime

Terraform

  • Resources:
    azurerm_storage_account
    azurerm_storage_account_network_rules
  • Argument: bypass
resource "azurerm_storage_account" "example" {
    ...
+   bypass                     = ["AzureServices"]
    }
}