Skip to content

SCOM & Other Geeky Stuff

A series of blog posts around Microsoft Cloud and Datacenter technologies, specifically Azure Cloud, System Center and other various Microsoft technologies.

  • About Ravi
Follow SCOM & Other Geeky Stuff on WordPress.com

Categories

  • Automation
  • Azure
  • Cloud
  • Cybersecurity
  • DSC
  • Hyper-V
  • IBM
  • Linux
  • Log Analytics
  • OMS
  • OperationsManager
  • Orchestrator
  • PowerShell
  • SCCM
  • SCOM
  • SCVMM
  • SQL Server
  • Storage
  • StorWize
  • System Center
  • Uncategorized
  • Virtualization
  • VMware
  • Windows OS
  • Windows Server

Recent Posts

  • Big Announcement
  • Azure Backup Center
  • Azure MSI & Policy Governance
  • Azure AD Sign-In Logs – Managed Identities + Service Principals
  • What version of Azure SQL makes sense for you?

Recent Comments

Ravi Yadav on SCCM 2012 R2 (Configuration Ma…
Anas on SCCM 2012 R2 (Configuration Ma…
[2021.7 updated] the… on Blocking Internet Access for A…
Securing Access to S… on Azure Service Endpoints versus…
Ravi Theja Madisetty on Restricting RDP (Remote Deskto…

Archives

  • November 2021
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • August 2019
  • March 2019
  • February 2019
  • September 2018
  • August 2018
  • July 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • December 2017
  • November 2017
  • October 2017
  • September 2017
  • July 2017
  • June 2017
  • May 2017
  • April 2017
  • March 2017
  • February 2017
  • January 2017
  • December 2016
  • November 2016
  • October 2016
  • September 2016
  • August 2016
  • July 2016
  • June 2016
  • May 2016
  • April 2016
  • March 2016
  • February 2016
  • January 2016
  • December 2015
  • November 2015
  • September 2015
  • August 2015
  • January 2015
  • November 2014
  • October 2014
  • June 2014

Meta

  • Register
  • Log in
  • Entries feed
  • Comments feed
  • WordPress.com

Azure Policy – Restrict Storage Accounts to Internet Access

Written by Ravi Yadav

The other day I had a customer request where they needed to ensure no Azure Storage Accounts to be exposed to the Internet. Restricting already provisioned Storage Accounts to the Internet is a pain in the a$$, however with Azure Policy we can ensure no future Storage Accounts will ever be exposed to the Internet. As an FYI, by default, most Azure services, like Storage Accounts, Key Vaults, and many other services are exposed to the Internet. Not too sure why Microsoft elected to go this route… For example, in AWS, services like Storage Accounts (S3) are not accessible by the Internet by default, you have to intentionally expose them. I almost prefer this method. I regress. In Azure to ensure Cloud Administrators are not creating storage accounts and leaving them exposed to the Internet, we can either manually restrict the storage account by enforcing VNet access only — which is tedious and very time consuming, especially if you have 100’s. Or, better yet, we can deploy an Azure Policy to ensure no future Storage Account will ever be exposed to the Internet.

Below is a simple Azure Policy (JSON format) that you can deploy and ensure at least your future Azure storage accounts will never be accessible by the Internet at creation time.


{
"type": "Microsoft.Authorization/policyDefinitions",
"name": "restrict-public-storageAccounts-policyDef",
"properties": {
  "displayName": "Restrict Internet access for Storage Accounts",
  "description": "This policy restricts Storage Accounts from being exposed to the Internet.",
  "metadata": {
   "category": "Storage"
  },
  "parameters": {},
  "policyRule": {
   "if": {
    "allOf": [
    {
     "field": "type",
     "equals": "Microsoft.Storage/storageAccounts"
    },
    {
     "field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction",
     "notequals": "Deny"
    }
    ]
   },
   "then": {
    "effect": "deny"
   }
  }
 }
}

Once you have this Policy applied and enabled, go ahead and test it out by creating a Storage Account that is not VNet restricted. You should get something like this!

I hope this was helpful, Cheers!

Sharing is Caring:

  • Twitter
  • LinkedIn
  • Facebook
  • Email

Like this:

Like Loading...

Related

January 28, 2020January 28, 2020 · Posted in Azure, Cloud, Cybersecurity · Tagged Azure, Best Practices, Cybersecurity, JSON, Policy, Security, Storage Account ·

Leave a Reply Cancel reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. ( Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. ( Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. ( Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Post navigation

« Automate and Deploy Microsoft Defender Advanced Threat Protection (MDATP) via PowerShell
Azure Security Center – Secure Score Enhancements »
Blog at WordPress.com.
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy
  • Follow Following
    • SCOM & Other Geeky Stuff
      • Join 161 other followers
    • Already have a WordPress.com account? Log in now.
    • SCOM & Other Geeky Stuff
    • Customize
    • Follow Following
    • Sign up
    • Log in
    • Copy shortlink
    • Report this content
    • View post in Reader
    • Manage subscriptions
    • Collapse this bar
 

Loading Comments...
 

    loading Cancel
    Post was not sent - check your email addresses!
    Email check failed, please try again
    Sorry, your blog cannot share posts by email.
    %d bloggers like this: