Forum Discussion
Limit which storage accounts which can be written to for a subscription
Would like to have a feature where we can set a policy that only a specific list of storage accounts can be written to from a subscription. Example a VM within the virtual network no matter who is logged in can only access specific storage accounts when in that subscription.
3 Replies
Santosh ChandwaniMicrosoft
RyanStevenson you can control which storage accounts can be accessed at a virtual network level. You can configure a Service Endpoint policy for a VNet, that specifies the list of storage accounts to which data exfiltration is allowed. Please see Virtual network service endpoint policies for Azure Storage for details.
RyanStevensonThis would also be for any service within a subscription. The reason for this request is we want to say that the no one could create a storage account in another subscription and through a VM or any other service write to that storage account and exfiltrate data.
- Klaas Langhout
RyanStevenson, I can see the value of providing this. We currently provide AAD authentication (including for MSI), as well as VNET and firewall security (where VM's could be added to a VNET to provide access to a storage account) which isn't as simple as your request. I'll add this for consideration with the right PM's in storage. Thanks, Klaas, Azure Storage
