Severity : High
Description:
...
This control ensures that Trusted Microsoft Services' is enabled for Storage Account access. To help some MS services to interact with storage account, it is require to bypass the network rules. These services will use strong authentication to access the storage account. If the Allow trusted Microsoft services exception is enabled, services like Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse are granted access to the storage account.
Remediation Steps:
Perform following to all MS services to access storage account :
...
Login to Azure Portal using https://portal.azure.com.
Go to Storage Accounts.
For each storage account, click on the Networking under Settings.
Go to Firewalls and virtual networks.
Ensure that you have elected to allow access from Selected networks.
Enable check box for Allow trusted Microsoft services to access this storage account.
Click Save.
Important:
Reference:
CIS Microsoft Azure Foundations Benchmark v1.3.0 - 02-01-2021 : Recommendation #3.7
https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security