Storage accounts should restrict network access using virtual network rules: Doesn't check if PublicNetworkAccess is disabled
Opened this issue · 0 comments
Details of the scenario you tried and the problem that is occurring
Rule name: Storage accounts should restrict network access using virtual network rules
Path in repo: built-in-policies/policyDefinitions/Storage/StorageAccountOnlyVnetRulesEnabled_Audit.json
Problem description:
We have some storage accounts that first had PublicNetworkAccess enabled with the setting "Enabled from selected virtual networks and IP addresses". They used the Firewall for IP ranges. Later they set the PublicNetworkAccess to disabled without removing the Firewall entries first.
Since the policy only checks if a Firewall Rule exists the Defender for Cloud opens a recommendation that is a false positive.
Verbose logs showing the problem
N/A
Suggested solution to the issue
If the field "PublicNetworkAccess" is set to "Disabled", don't check for the existence of firewall rules.
If policy is Guest Configuration - details about target node
N/A