#storageaccount โ Public Fediverse posts
Live and recent posts from across the Fediverse tagged #storageaccount, aggregated by home.social.
-
TIL disabling public access to a storage account does not disable all public access in certain scenarios:
"By design, access to a storage account from trusted services takes the highest precedence over other network access restrictions. If you set **Public network access** to **Disabled** after previously setting it to **Enabled from selected virtual networks and IP addresses**, any resource instances and exceptions that you previously configured, including Allow Azure services on the trusted services list to access this storage account, will remain in effect. As a result, those resources and services might still have access to the storage account."The settings for 'resource instances' and 'exceptions' can be seen in attached screenshot.
Unfortunately, these settings are not visible any more once Public network access is set to disabled, which is why it is easy to miss this configuration. This azure resource graph query can help finding storage accounts that have public network access disabled but still allow Azure services and/or resource types:
```
resources
| where type =~ 'Microsoft.Storage/storageAccounts'
| where properties.publicNetworkAccess =~ 'Disabled'
| where (array_length(properties.networkAcls.resourceAccessRules) > 0
or properties.networkAcls.bypass =~ 'AzureServices')
```
#azure #storageaccount #resourcegraph -
๐๐ง๐ญ๐ซ๐จ๐๐ฎ๐๐ข๐ง๐ ๐๐ข๐๐ซ๐จ๐ฌ๐จ๐๐ญ ๐๐๐๐๐ง๐๐๐ซ ๐๐จ๐ซ ๐๐ฅ๐จ๐ฎ๐ ๐๐๐๐ฌ
Our labs project help you get ramped up with Microsoft Defender for Cloud and provide hands-on practical experience for product features, capabilities, and scenarios. The labs are divided into 3 main tracks, a beginner (level 100/200) and an advanced (level 300+) track. The labs contain several modules cover different pillars such as Cloud Security Posture Management (CSPM) to Cloud Workload Protection (CWP). To start using our labs, you will need to create Azure Trial Subscription which provides you all capabilities for 30 days โ so you have to finish this lab at this point to take advantage of the free trial.
https://github.com/Azure/Microsoft-Defender-for-Cloud/tree/main/Labs
#defender #defenderforcloud #cnapp #cspm #cwp #cwpp #cloudsecurity #multicloud #azure #aws #gcp #microsoft #microsoftsecurity #soc #server #container #storage #dns #api #devops #database #api #github #arc #agentless #storageaccount #mde #vulnerability #mdvm #siem
-
๐๐ผ๐ ๐๐ผ ๐๐ฒ๐ฐ๐๐ฟ๐ฒ ๐ฎ ๐๐๐ป๐ฐ๐๐ถ๐ผ๐ป ๐๐ฝ๐ฝ?
๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒโฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ
โก๏ธDefender for Cloud for assessment of potential configuration-related security vulnerabilities
โก๏ธLog and monitor: diagnostic settings to configure streaming export of platform logs and metrics
โก๏ธRequire HTTPS
โก๏ธSecuring keys with Azure key Vault
โก๏ธEnable App Service Authentication/Authorization
โก๏ธUse Azure API Management (APIM) to authenticate requests
โก๏ธRun your function app with the lowest possible permissions
โก๏ธStore data encrypted
๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒโฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ขฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ
โก๏ธDisable FTP
โก๏ธSecure the scm endpoint
๐ฝฬฒ๐ฬฒ๐ฬฒ๐ ฬฒ๐ฬฒ๐ฬฒ๐ฬฒโฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ขฬฒ
โก๏ธSet access restrictions
โก๏ธSecure the storage account
โก๏ธPrivate site access with Azure Private Endpoint
โก๏ธDeploy your function app in isolation configuring a Web Application Firewall (WAF) for App Service Environment.
More details: https://learn.microsoft.com/en-us/azure/azure-functions/security-concepts?tabs=v4
#security #azure #cloud #data #management #streaming #functionapp #serverless #waf #appservice #privateendpoint #networksecurity #securedeployment #apim #ftp #keyvault #key #vulnerability #assessment #misconfiguration #encryption #storage #storageaccount #defender #defenderforcloud #cnapp #cspm #cwpp #microsoft #microsoftsecurity #cloudsecurity #cloudnative #siem #monitoring #soc
-
๐๐ผ๐ ๐๐ผ ๐๐ฒ๐ฐ๐๐ฟ๐ฒ ๐ฎ ๐๐๐ป๐ฐ๐๐ถ๐ผ๐ป ๐๐ฝ๐ฝ?
๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒโฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ
โก๏ธDefender for Cloud for assessment of potential configuration-related security vulnerabilities
โก๏ธLog and monitor: diagnostic settings to configure streaming export of platform logs and metrics
โก๏ธRequire HTTPS
โก๏ธSecuring keys with Azure key Vault
โก๏ธEnable App Service Authentication/Authorization
โก๏ธUse Azure API Management (APIM) to authenticate requests
โก๏ธRun your function app with the lowest possible permissions
โก๏ธStore data encrypted
๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒโฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ขฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ
โก๏ธDisable FTP
โก๏ธSecure the scm endpoint
๐ฝฬฒ๐ฬฒ๐ฬฒ๐ ฬฒ๐ฬฒ๐ฬฒ๐ฬฒโฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ขฬฒ
โก๏ธSet access restrictions
โก๏ธSecure the storage account
โก๏ธPrivate site access with Azure Private Endpoint
โก๏ธDeploy your function app in isolation configuring a Web Application Firewall (WAF) for App Service Environment.
More details: https://learn.microsoft.com/en-us/azure/azure-functions/security-concepts?tabs=v4
#security #azure #cloud #data #management #streaming #functionapp #serverless #waf #appservice #privateendpoint #networksecurity #securedeployment #apim #ftp #keyvault #key #vulnerability #assessment #misconfiguration #encryption #storage #storageaccount #defender #defenderforcloud #cnapp #cspm #cwpp #microsoft #microsoftsecurity #cloudsecurity #cloudnative #siem #monitoring #soc
-
So, here is a #PowerShell #ResourceGraph query to list all storage accounts and their #allowSharedKeyAccess settings:
Search-AzGraph -Query "resources | where type =~ 'Microsoft.Storage/storageAccounts' | extend allowSharedKeyAccess = parse_json(properties).allowSharedKeyAccess | project subscriptionId, resourceGroup, name, allowSharedKeyAccess"
#Azure #StorageAccount #SharedKeyAccess
Ref: https://learn.microsoft.com/en-gb/azure/storage/common/shared-key-authorization-prevent