Severity : Critical
Description: This control ensures that default network security group have access rule for Storage accounts is set to deny. The default security group is often used for resources launched without a defined security group.
Remediation Steps:
Perform following to Remove all non-required guest users :
Login to Azure Portal using https://portal.azure.com.
...
Navigate to Network Security groups service
For each account/resource group, select security group.
Add a default rule in the group to deny all access .
Important:
Since the deny rule will drop all the unmatched traffic, Make sure to add specific network rules to allow traffic from all required resources. Otherwise, adding a deny rule may disrupt the service.
Reference:
Azure Foundations Benchmark v1.3.0 - 02-01-2021 : Recommendation #3.6
https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security