Why does Prisma Cloud Azure onboarding require Reader and Data Access Role for Storage Account?
13808
Created On 06/13/19 22:41 PM - Last Modified 12/09/19 22:25 PM
Question
Why does Azure onboarding require Reader and Data Access Role for Storage Account?
Reader role given to the Prisma Cloud Application at the Subscription level has read permissions on all the resources inside the subscription.
| */read | Read resources of all types, except secrets. |
What does Prisma Cloud need to capture that is not available from Subscription level Reader role?
Environment
Prisma Cloud
Azure
Answer
Even though the Reader role at the Subscription level provides read access to all the resources within the subscription, it does not provide access to retrieve the metadata for blobs, tables, and queues inside the Storage Account.
Without this permission, the logging properties for blobs, tables, queues cannot be evaluated, which are used in the following three out-of-the-box policies:
- Azure storage account logging for blobs is disabled
- Azure storage account logging for tables is disabled
- Azure storage account logging for tables is disabled
If access is not given, the resource config metadata from the storage account shows null for the logging properties, irrespective of whether they are enabled or disabled. This results in the alert for these three policies.
"loggingProperties": {
"blob": {},
"queue": {},
"table": {}
},
"blob": {},
"queue": {},
"table": {}
},
Additional Information
Reader and Data Access role at the Subscription level has permissions ONLY on the Storage Account (SA)
| Microsoft.Storage/storageAccounts/listKeys/action | Returns the access keys for the specified storage account. |
| Microsoft.Storage/storageAccounts/ListAccountSas/action | Returns the Account SAS token for the specified storage account. |
| Microsoft.Storage/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. |