Mar 16 2020 08:07 AM
Would like to have a feature where we can set a policy that only a specific list of storage accounts can be written to from a subscription. Example a VM within the virtual network no matter who is logged in can only access specific storage accounts when in that subscription.
Mar 16 2020 11:39 AM
@RyanStevensonThis would also be for any service within a subscription. The reason for this request is we want to say that the no one could create a storage account in another subscription and through a VM or any other service write to that storage account and exfiltrate data.
Mar 24 2020 11:18 PM
@RyanStevenson, I can see the value of providing this. We currently provide AAD authentication (including for MSI), as well as VNET and firewall security (where VM's could be added to a VNET to provide access to a storage account) which isn't as simple as your request. I'll add this for consideration with the right PM's in storage. Thanks, Klaas, Azure Storage
Mar 25 2020 12:24 PM - edited Mar 25 2020 01:36 PM
@RyanStevenson you can control which storage accounts can be accessed at a virtual network level. You can configure a Service Endpoint policy for a VNet, that specifies the list of storage accounts to which data exfiltration is allowed. Please see Virtual network service endpoint policies for Azure Storage for details.