terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny

profile photo of semgrepsemgrep
Author
unknown
Download Count*

Detected a Storage that was not configured to deny action by default. Add default_action = "Deny" in your resource block.

Run Locally

Run in CI

Defintion

rules:
  - id: storage-default-action-deny
    message: Detected a Storage that was not configured to deny action by default.
      Add `default_action = "Deny"` in your resource block.
    patterns:
      - pattern: resource
      - pattern-not-inside: |
          resource "azurerm_storage_account_network_rules" "..." {
          ...
            default_action = "Deny"
          ...
          }
      - pattern-inside: |
          resource "azurerm_storage_account_network_rules" "..." {
          ...
            default_action = "Allow"
          ...
          }
    metadata:
      cwe:
        - "CWE-16: CWE CATEGORY: Configuration"
      category: security
      technology:
        - terraform
        - azure
      references:
        - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules#default_action
        - https://docs.microsoft.com/en-us/azure/firewall/rule-processing
      owasp:
        - A06:2017 - Security Misconfiguration
        - A05:2021 - Security Misconfiguration
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Other
    languages:
      - hcl
    severity: ERROR

Examples

storage-default-action-deny.tf

# pass
resource "azurerm_storage_account_network_rules" "good_example" {
  default_action             = "Deny"
  ip_rules                   = ["127.0.0.1"]
  virtual_network_subnet_ids = [azurerm_subnet.test.id]
  bypass                     = ["Metrics"]
}
# fail

# ruleid: storage-default-action-deny
resource "azurerm_storage_account_network_rules" "bad_example" {
  default_action             = "Allow"
  ip_rules                   = ["127.0.0.1"]
  virtual_network_subnet_ids = [azurerm_subnet.test.id]
  bypass                     = ["Metrics"]
}