terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny
semgrep
Author
unknown
Download Count*
License
Detected a Storage that was not configured to deny action by default. Add default_action = "Deny"
in your resource block.
Run Locally
Run in CI
Defintion
rules:
- id: storage-default-action-deny
message: Detected a Storage that was not configured to deny action by default.
Add `default_action = "Deny"` in your resource block.
patterns:
- pattern: resource
- pattern-not-inside: |
resource "azurerm_storage_account_network_rules" "..." {
...
default_action = "Deny"
...
}
- pattern-inside: |
resource "azurerm_storage_account_network_rules" "..." {
...
default_action = "Allow"
...
}
metadata:
cwe:
- "CWE-16: CWE CATEGORY: Configuration"
category: security
technology:
- terraform
- azure
references:
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules#default_action
- https://docs.microsoft.com/en-us/azure/firewall/rule-processing
owasp:
- A06:2017 - Security Misconfiguration
- A05:2021 - Security Misconfiguration
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Other
languages:
- hcl
severity: ERROR
Examples
storage-default-action-deny.tf
# pass
resource "azurerm_storage_account_network_rules" "good_example" {
default_action = "Deny"
ip_rules = ["127.0.0.1"]
virtual_network_subnet_ids = [azurerm_subnet.test.id]
bypass = ["Metrics"]
}
# fail
# ruleid: storage-default-action-deny
resource "azurerm_storage_account_network_rules" "bad_example" {
default_action = "Allow"
ip_rules = ["127.0.0.1"]
virtual_network_subnet_ids = [azurerm_subnet.test.id]
bypass = ["Metrics"]
}
Short Link: https://sg.run/WpN4