Link Search Menu Expand Document

The default action on Storage account network rules should be set to deny

Explanation

The default_action for network rules should come into effect when no other rules are matched.

The default action should be set to Deny.

Insecure Example

The following example will fail the AZU012 check.

resource "azurerm_storage_account_network_rules" "bad_example" {
  
  default_action             = "Allow"
  ip_rules                   = ["127.0.0.1"]
  virtual_network_subnet_ids = [azurerm_subnet.test.id]
  bypass                     = ["Metrics"]
}

Secure Example

The following example will pass the AZU012 check.

resource "azurerm_storage_account_network_rules" "good_example" {
  
  default_action             = "Deny"
  ip_rules                   = ["127.0.0.1"]
  virtual_network_subnet_ids = [azurerm_subnet.test.id]
  bypass                     = ["Metrics"]
}