CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00598
- creditSnyk Research Team
Description
Trusted network services cannot be whitelisted via network rules. When any network rule is configured, the trusted services will not be able to access the storage account. Note, by default there is no network rule configured.
How to fix?
Set properties.networkAcls.bypass attribute to `'Azure Services'. Ensure to add appropriate rules for your application alongside the proposed remediation step.
Set bypass attribute to ["AzureServices"]. Ensure you add appropriate rules for your application.
Note that setting this remediation without any other rules will block all network access to the storage account except for Microsoft Trusted Services.
Example Configuration
# Example azurerm_storage_account_network_rules
resource "azurerm_storage_account_network_rules" "validrule" {
resource_group_name = azurerm_resource_group.rg1.name
storage_account_name = azurerm_storage_account.valid2.name
default_action = "Deny"
bypass = ["AzureServices"]
}
# Example azurerm_storage_account
resource "azurerm_storage_account" "allowed_2" {
name = "storageaccountname"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "GRS"
network_rules {
default_action = "Deny"
bypass = ["AzureServices"]
}
}