The other day I had a customer request where they needed to ensure no Azure Storage Accounts to be exposed to the Internet. Restricting already provisioned Storage Accounts to the Internet is a pain in the a$$, however with Azure Policy we can ensure no future Storage Accounts will ever be exposed to the Internet. As an FYI, by default, most Azure services, like Storage Accounts, Key Vaults, and many other services are exposed to the Internet. Not too sure why Microsoft elected to go this route… For example, in AWS, services like Storage Accounts (S3) are not accessible by the Internet by default, you have to intentionally expose them. I almost prefer this method. I regress. In Azure to ensure Cloud Administrators are not creating storage accounts and leaving them exposed to the Internet, we can either manually restrict the storage account by enforcing VNet access only — which is tedious and very time consuming, especially if you have 100’s. Or, better yet, we can deploy an Azure Policy to ensure no future Storage Account will ever be exposed to the Internet.
Below is a simple Azure Policy (JSON format) that you can deploy and ensure at least your future Azure storage accounts will never be accessible by the Internet at creation time.
{ "type": "Microsoft.Authorization/policyDefinitions", "name": "restrict-public-storageAccounts-policyDef", "properties": { "displayName": "Restrict Internet access for Storage Accounts", "description": "This policy restricts Storage Accounts from being exposed to the Internet.", "metadata": { "category": "Storage" }, "parameters": {}, "policyRule": { "if": { "allOf": [ { "field": "type", "equals": "Microsoft.Storage/storageAccounts" }, { "field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction", "notequals": "Deny" } ] }, "then": { "effect": "deny" } } } }
Once you have this Policy applied and enabled, go ahead and test it out by creating a Storage Account that is not VNet restricted. You should get something like this!
I hope this was helpful, Cheers!