Azure - Storage Account - "HIGH: Network rules do not allow bypass for Microsoft Services." #8055
AlexcFrench
started this conversation in
False Detection
Replies: 3 comments 2 replies
-
I would expect this to be a warning if it was enabled... |
Beta Was this translation helpful? Give feedback.
0 replies
-
If the check isn't valid for your case, can you not ignore it? Or is there something else to it. |
Beta Was this translation helpful? Give feedback.
2 replies
-
Hi Simar7, Interesting, thanks for the article. Yes, if we can leave this open for other input that would be valuable. If this is only my opinion then I'll happily accept the defaults!!!! |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
IDs
Not Applicable
Description
We have multiple storage accounts that do not allow Microsoft Services to bypass the network ACLS.
This is by design, and we have no requirement for Microsoft to access them.
However, this alert is raised as a HIGH when actually we are in a more secure state than in we enabled Microsoft Services access. Enabling this access then relies purely on identity for control from any other tenant.
i.e. if we enable this setting, we allow EventGrid access from any tenant to be able to connect to our storage account and there are no longer any network level controls. the only protection is as Managed System Identity (if configured)
Reproduction Steps
1. Deploy a storage account 2. Do not enable Microsoft network access 3. Trivy config ...
Target
Filesystem
Scanner
Misconfiguration
Target OS
No response
Debug Output
Version
Checklist
-f json
that shows data sources and confirmed that the security advisory in data sources was correctBeta Was this translation helpful? Give feedback.
All reactions