Skip to content

Commit

Permalink
Merge pull request #2112 from AkhtarAmir/Azure/Storage-Account-Public…
Browse files Browse the repository at this point in the history 
…-Network-Access

Azure/Storage-Account-Public-Network-Access
  • Loading branch information
@alphadev4
alphadev4 authored Nov 11, 2024
2 parents be0e970 + b4cda5c commit 084b653
Show file tree
Hide file tree
Showing 4 changed files with 163 additions and 1 deletion.
1 change: 1 addition & 0 deletions exports.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -724,6 +724,7 @@ module.exports = {
'queueServiceLoggingEnabled' : require(__dirname + '/plugins/azure/storageaccounts/queueServiceLoggingEnabled.js'),
'tableServiceLoggingEnabled' : require(__dirname + '/plugins/azure/storageaccounts/tableServiceLoggingEnabled.js'),
'blobServiceLoggingEnabled' : require(__dirname + '/plugins/azure/storageaccounts/blobServiceLoggingEnabled.js'),
'storageAccountPublicNetworkAccess': require(__dirname + '/plugins/azure/storageaccounts/storageAccountPublicNetworkAccess.js'),

'blobContainersPrivateAccess' : require(__dirname + '/plugins/azure/blobservice/blobContainersPrivateAccess.js'),
'blobServiceImmutable' : require(__dirname + '/plugins/azure/blobservice/blobServiceImmutable.js'),
Expand Down
2 changes: 1 addition & 1 deletion helpers/azure/api.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -197,7 +197,7 @@ var calls = {
},
storageAccounts: {
list: {
url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Storage/storageAccounts?api-version=2019-06-01',
url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Storage/storageAccounts?api-version=2023-05-01',
rateLimit: 3000
}
},
Expand Down
54 changes: 54 additions & 0 deletions plugins/azure/storageaccounts/storageAccountPublicNetworkAccess.js
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
var async = require('async');
var helpers = require('../../../helpers/azure/');

module.exports = {
title: 'Storage Account Public Network Access',
category: 'Storage Accounts',
domain: 'Storage',
severity: 'Medium',
description: 'Ensures that Public Network Access is disabled for storage accounts.',
more_info: 'Disabling public network access for Azure storage accounts enhances security by blocking anonymous access to data in containers and blobs. This restriction ensures that only trusted network sources can access the storage, reducing the risk of unauthorized access and data exposure.',
recommended_action: 'Modify storage accounts and disable Public Network Access.',
link: 'https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security',
apis: ['storageAccounts:list'],
realtime_triggers: ['microsoftstorage:storageaccounts:write', 'microsoftstorage:storageaccounts:delete'],

run: function(cache, settings, callback) {
var results = [];
var source = {};
var locations = helpers.locations(settings.govcloud);

async.each(locations.storageAccounts, function(location, rcb) {
var storageAccount = helpers.addSource(cache, source,
['storageAccounts', 'list', location]);

if (!storageAccount) return rcb();

if (storageAccount.err || !storageAccount.data) {
helpers.addResult(results, 3,
'Unable to query for Storage Accounts: ' + helpers.addError(storageAccount), location);
return rcb();
}

if (!storageAccount.data.length) {
helpers.addResult(results, 0, 'No storage accounts found', location);
return rcb();
}

for (let account of storageAccount.data) {
if (!account.id) continue;

if (account.publicNetworkAccess && (account.publicNetworkAccess.toLowerCase() == 'disabled' || account.publicNetworkAccess.toLowerCase() == 'securedbyperimeter')){
helpers.addResult(results, 0, 'Storage account has public network access disabled', location, account.id);
} else {
helpers.addResult(results, 2, 'Storage account does not have public network access disabled', location, account.id);
}
}

rcb();
}, function() {
// Global checking goes here
callback(null, results, source);
});
}
};
107 changes: 107 additions & 0 deletions plugins/azure/storageaccounts/storageAccountPublicNetworkAccess.spec.js
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,107 @@
var expect = require('chai').expect;
var storageAccountPublicNetworkAccess = require('./storageAccountPublicNetworkAccess');

const storageAccounts = [
{
'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Storage/storageAccounts/acc',
'location': 'eastus',
'name': 'acc',
'tags': { 'key': 'value' },
"publicNetworkAccess": "Disabled"
},
{
'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Storage/storageAccounts/acc',
'location': 'eastus',
'name': 'acc',
'tags': {},
"publicNetworkAccess": "Enabled"
},
{
'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Storage/storageAccounts/acc',
'location': 'eastus',
'name': 'acc',
'tags': {},
"publicNetworkAccess": "SecuredByPerimeter"
}
];

const createCache = (storageAccounts) => {
return {
storageAccounts: {
list: {
'eastus': {
data: storageAccounts
}
}
}
};
};

const createErrorCache = () => {
return {
storageAccounts: {
list: {
'eastus': {}
}
}
};
};

describe('storageAccountPublicNetworkAccess', function() {
describe('run', function() {
it('should give passing result if no storage accounts', function(done) {
const cache = createCache([]);
storageAccountPublicNetworkAccess.run(cache, {}, (err, results) => {
expect(results.length).to.equal(1);
expect(results[0].status).to.equal(0);
expect(results[0].message).to.include('No storage accounts found');
expect(results[0].region).to.equal('eastus');
done();
});
});

it('should give unknown result if unable to query for storage accounts', function(done) {
const cache = createErrorCache();
storageAccountPublicNetworkAccess.run(cache, {}, (err, results) => {
expect(results.length).to.equal(1);
expect(results[0].status).to.equal(3);
expect(results[0].message).to.include('Unable to query for Storage Accounts');
expect(results[0].region).to.equal('eastus');
done();
});
});

it('should give passing result if Storage account has public network access disabled', function(done) {
const cache = createCache([storageAccounts[0]]);
storageAccountPublicNetworkAccess.run(cache, {}, (err, results) => {
expect(results.length).to.equal(1);
expect(results[0].status).to.equal(0);
expect(results[0].message).to.include('Storage account has public network access disabled');
expect(results[0].region).to.equal('eastus');
done();
});
});

it('should give failing result if Storage account does not have public network access disabled', function(done) {
const cache = createCache([storageAccounts[1]]);
storageAccountPublicNetworkAccess.run(cache, {}, (err, results) => {
expect(results.length).to.equal(1);
expect(results[0].status).to.equal(2);
expect(results[0].message).to.include('Storage account does not have public network access disabled');
expect(results[0].region).to.equal('eastus');
done();
});
});

it('should give failing result if Storage account has public network access secured by perimeter', function(done) {
const cache = createCache([storageAccounts[2]]);
storageAccountPublicNetworkAccess.run(cache, {}, (err, results) => {
expect(results.length).to.equal(1);
expect(results[0].status).to.equal(0);
expect(results[0].message).to.include('Storage account has public network access disabled');
expect(results[0].region).to.equal('eastus');
done();
});
});
});
});

0 comments on commit 084b653

Please sign in to comment.