terraform.azure.security.storage.storage-allow-microsoft-service-bypass.storage-allow-microsoft-service-bypass
semgrep
Author
unknown
Download Count*
License
Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules
Run Locally
Run in CI
Defintion
rules:
- id: storage-allow-microsoft-service-bypass
message: Some Microsoft services that interact with storage accounts operate
from networks that can't be granted access through network rules. To help
this type of service work as intended, allow the set of trusted Microsoft
services to bypass the network rules
patterns:
- pattern-not-inside: |
resource "azurerm_storage_account" "..." {
...
network_rules {
...
bypass = ["...", "AzureServices"]
...
}
...
}
- pattern-not-inside: |
resource "azurerm_storage_account_network_rules" "..." {
...
bypass = ["...", "AzureServices"]
...
}
- pattern-either:
- pattern-inside: |
resource "azurerm_storage_account_network_rules" "..." {
...
bypass = [$ANYTHING]
...
}
- pattern-inside: |
resource "azurerm_storage_account" "..." {
...
network_rules {
...
bypass = [$ANYTHING]
...
}
...
}
metadata:
cwe:
- "CWE-284: Improper Access Control"
category: security
technology:
- terraform
- azure
references:
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#bypass
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules#bypass
- https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security#trusted-microsoft-services
owasp:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Improper Authorization
languages:
- hcl
severity: WARNING
Examples
storage-allow-microsoft-service-bypass.tf
# pass
resource "azurerm_storage_account" "good_example" {
name = "storageaccountname"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "LRS"
network_rules {
default_action = "Deny"
ip_rules = ["100.0.0.1"]
virtual_network_subnet_ids = [azurerm_subnet.example.id]
bypass = ["Metrics", "AzureServices"]
}
tags = {
environment = "staging"
}
}
resource "azurerm_storage_account_network_rules" "test" {
resource_group_name = azurerm_resource_group.test.name
storage_account_name = azurerm_storage_account.test.name
default_action = "Allow"
ip_rules = ["127.0.0.1"]
virtual_network_subnet_ids = [azurerm_subnet.test.id]
bypass = ["Metrics", "AzureServices"]
}
# fail
# ruleid: storage-allow-microsoft-service-bypass
resource "azurerm_storage_account" "bad_example" {
name = "storageaccountname"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "LRS"
network_rules {
default_action = "Deny"
ip_rules = ["100.0.0.1"]
virtual_network_subnet_ids = [azurerm_subnet.example.id]
bypass = ["Metrics"]
}
tags = {
environment = "staging"
}
}
# ruleid: storage-allow-microsoft-service-bypass
resource "azurerm_storage_account_network_rules" "test" {
resource_group_name = azurerm_resource_group.test.name
storage_account_name = azurerm_storage_account.test.name
default_action = "Allow"
ip_rules = ["127.0.0.1"]
virtual_network_subnet_ids = [azurerm_subnet.test.id]
bypass = ["Metrics"]
}
Short Link: https://sg.run/WpX4