Azure-NetworkSecurityGroups-Default-Security-Group

Severity : Critical

Description: This control ensures that default network security group have access rule for Storage accounts is set to deny. The default security group is often used for resources launched without a defined security group.

Remediation Steps:

Perform following to Remove all non-required guest users :

1. Login to Azure Portal using https://portal.azure.com.

2. Navigate to Network Security groups service

3. For each account/resource group, select security group.

4. Add a default rule in the group to deny all access .

Important:

• Since the deny rule will drop all the unmatched traffic, Make sure to add specific network rules to allow traffic from all required resources. Otherwise, adding a deny rule may disrupt the service.

Reference:

• Azure Foundations Benchmark v1.3.0 - 02-01-2021 : Recommendation #3.6

• https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security