logo

Database

Terraform Default Action Allow

Description

Detects when Azure Storage Accounts are configured with permissive default network access rules that could allow public access. This creates a security risk by potentially exposing storage data to unauthorized access from the internet if specific network rules are not properly configured.

Weakness:

157 - Unrestricted access between network segments

Category: Access Subversion

Detection Strategy

    Identify Azure Storage Account resources in Terraform configurations

    Check if network rules are configured with default_action set to 'Allow'

    Check if storage account network rules enable public network access

    Report a vulnerability when storage accounts allow unrestricted network access by default

Vulnerable code example

resource "azurerm_storage_account" "vulnerable" {
  name                = "mystorageaccount"
  resource_group_name = "myresourcegroup"
  location            = "eastus"

  network_rules {
    default_action = "Allow"  # SECURITY ISSUE: Allows access from all networks by default
  }...

✅ Secure code example

resource "azurerm_storage_account" "secure" {
  name                      = "mystorageaccount"
  resource_group_name       = "myresourcegroup"
  location                  = "eastus"

  network_rules {
    default_action = "Deny"  # Secure: Block all networks by default, explicitly allow needed ones
    bypass         = ["AzureServices"]  # Allow trusted Azure services to access...