Limit which storage accounts which can be written to for a subscription

Copper Contributor

Would like to have a feature where we can set a policy that only a specific list of storage accounts can be written to from a subscription.  Example a VM within the virtual network no matter who is logged in can only access specific storage accounts when in that  subscription.

3 Replies

@RyanStevensonThis would also be for any service within a subscription.  The reason for this request is we want to say that the no one could create a storage account in another subscription and through a VM or any other service write to that storage account and exfiltrate data.

@RyanStevenson, I can see the value of providing this. We currently provide AAD authentication (including for MSI), as well as VNET and firewall security (where VM's could be added to a VNET to provide access to a storage account) which isn't as simple as your request.  I'll add this for consideration with the right PM's in storage.   Thanks, Klaas, Azure Storage 

@RyanStevenson you can control which storage accounts can be accessed at a virtual network level. You can configure a Service Endpoint policy for a VNet, that specifies the list of storage accounts to which data exfiltration is allowed. Please see Virtual network service endpoint policies for Azure Storage for details.