|   Trend Micro Cloud One™
Open menu

Enable Trusted Microsoft Services for Storage Account Access

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Last updated: 11 September 2020
Risk level: Medium (should be achieved)
Rule ID: StorageAccounts-008

Ensure that "Allow trusted Microsoft services to access this storage account" exception is enabled within your Azure Storage account configuration settings to grant access to trusted cloud services.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

Enabling firewall rules for your storage account will block access to incoming requests for data, including from other Azure services. To allow these Azure services to work as intended and be able to access your storage account resources, you have to add an exception so that the trusted Microsoft Azure services can bypass your network rules. If the "Allow trusted Microsoft services to access this storage account" exception is enabled, the following services: Azure Backup, Azure Event Grid, Azure Site Recovery, Azure DevTest Labs, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse (when registered in the subscription), are granted access to your storage account. To enhance access security, all these cloud services are using strong authentication methods to access storage account resources.

Audit

To determine if "Allow trusted Microsoft services to access this storage account" exception is enabled, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts.

03 Click on the name of the Azure Storage account that you want to examine.

04 In the navigation panel, under Settings, select Firewalls and virtual networks to access network security configuration page for the selected storage account.

05 On the Firewalls and virtual networks page, under Exceptions, check the Allow trusted Microsoft services to access this storage account exception configuration status. If the default network access configuration panel is not displayed, see this conformity rule to access the panel with the network access exceptions. If Allow trusted Microsoft services to access this storage account exception is not selected, the trusted Microsoft services are not allowed to access the selected Azure Storage account.

06 Repeat steps no. 3 – 5 for each storage account available within the selected subscription.

07 Repeat steps no. 3 – 6 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI and PowerShell

01 Run storage account list command (Windows/macOS/Linux) using custom query filters to describe the name for each storage account available in the current Azure subscription:

az storage account list
	--query '[*].name'

02 The command output should return the requested storage account names:

[
  "abcdabcdabcd123412341234",
  "123412341234abcdabcdabcd"
]

03 Run storage account show command (Windows/macOS/Linux) using the name of the storage account that you want to examine as identifier parameter and custom query filters to get the "Allow trusted Microsoft services to access this storage account" exception configuration status:

az storage account show
	--name abcdabcdabcd123412341234
	--query 'networkRuleSet.bypass'

04 The command output should return the default action configured for the default network access rule:

"None"

If the command output returns "None", the "Allow trusted Microsoft services to access this storage account" exception is not enabled, therefore the trusted Microsoft services are not allowed to access the selected Azure Storage account.

05 Repeat step no. 3 and 4 for each storage account available within the selected subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To allow trusted Microsoft services to access your Azure Storage accounts, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts.

03 Click on the name of the Azure Storage account that you want to reconfigure.

04 In the navigation panel, under Settings, select Firewalls and virtual networks to access network security configuration page for the selected storage account.

05 On the Firewalls and virtual networks page, under Exceptions, select the Allow trusted Microsoft services to access this storage account exception checkbox to allow the trusted Microsoft services to access the selected Azure Storage account. If the default network access configuration panel is not displayed, see this conformity rule to access the panel with the network access exceptions.

06 Click Save to apply the changes.

07 Repeat steps no. 3 – 6 for each storage account available in the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI and PowerShell

01 Run storage account update command (Windows/macOS/Linux) using the name of the storage account that you want to reconfigure as identifier parameter (see Audit section part II to identify the right account) to enable "Allow trusted Microsoft services to access this storage account" exception for the selected Azure Storage account:

az storage account update
	--name abcdabcdabcd123412341234
	--bypass AzureServices

02 The command output should return the reconfigured storage account metadata:

{
  "accessTier": "Hot",
  "creationTime": "2019-04-23T11:39:20.351002+00:00",
  "enableAzureFilesAadIntegration": null,
  "customDomain": null,
  "enableHttpsTrafficOnly": false,

   ...

  "networkRuleSet": {
    "bypass": "AzureServices",
    "defaultAction": "Deny",
    "ipRules": [
      {
        "action": "Allow",
        "ipAddressOrRange": "16.17.18.0/24"
      }
    ],
    "virtualNetworkRules": []
  },

  ...

  "statusOfPrimary": "available",
  "statusOfSecondary": null,
  "tags": {
    "ms-resource-usage": "azure-cloud-shell"
  },
  "type": "Microsoft.Storage/storageAccounts"
}

03 Repeat step no. 1 and 2 for each storage account available in the selected subscription.

04 Repeat steps no. 1 – 3 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Jun 12, 2019

Unlock the Remediation Steps

Gain free unlimited access to our full Knowledge Base


Over 600 rules & best practices for and

Get started for FREE

A verification email will be sent to this address
We keep your information private. Learn more.

Thank you!

Please click the link in the confirmation email sent to

You are auditing:

Enable Trusted Microsoft Services for Storage Account Access

Risk level: Medium