Framework/Configurations/SVT/Services/Storage.json
|
{
"FeatureName": "Storage", "Reference": "aka.ms/azsdkosstcp/storage", "IsManintenanceMode": false, "Controls": [ { "ControlID": "Azure_Storage_AuthN_Dont_Allow_Anonymous", "Description": "The Access Type for containers must not be set to 'Public'", "Id": "AzureStorage110", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckStorageContainerPublicAccessTurnOff", "Recommendation": "Run command 'Set-AzureStorageContainerAcl -Name '<ContainerName>' -Permission 'Off' -Context '<StorageContext>''. Run 'Get-Help Set-AzureStorageContainerAcl -full' for more help.", "Tags": [ "SDL", "TCP", "Automated", "AuthN", "OwnerAccess" ], "Enabled": true }, { "ControlID": "Azure_Storage_Audit_Issue_Alert_AuthN_Req", "Description": "Alert rules must be configured for tracking anonymous activity", "Id": "AzureStorage120", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckStorageMetricAlert", "Recommendation": "Run command 'Add-AzureRmMetricAlertRule -MetricName 'AnonymousSuccess' -Operator 'GreaterThan' -Threshold '0' -TimeAggregationOperator 'Total' -WindowSize '01:00:00' -Actions '<New-AzureRmAlertRuleEmail -SendToServiceOwners>' -Name '<AlertName>' -ResourceGroup '<RGName>' -TargetResourceId '<TargetResourceId>' -Location '<Location>''. Run 'Get-Help Add-AzureRmMetricAlertRule -full' for more help. Note: You will need to enable this for all service types within Storage (Blob, File, Table, Queue, etc.) even if you are only using one of them.", "Tags": [ "SDL", "TCP", "Automated", "Audit" ], "Enabled": true }, { "ControlID": "Azure_Storage_Deploy_Use_Geo_Redundant", "Description": "Use geo-redundant storage accounts", "Id": "AzureStorage130", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckStorageGeoRedundantReplication", "Recommendation": "Run command 'Set-AzureRmStorageAccount -Name '<StorageAccountName>' -ResourceGroupName '<RGName>' -SkuName '<Standard_GRS/Standard_RAGRS>''. Run 'Get-Help Set-AzureRmStorageAccount -full' for more help.", "Tags": [ "SDL", "TCP", "Automated", "Deploy" ], "Enabled": true }, { "ControlID": "Azure_Storage_DP_Encrypt_At_Rest_Blob", "Description": "Sensitive data in Storage Blob must be encrypted at rest", "Id": "AzureStorage140", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckStorageBlobEncryptionEnabled", "Recommendation": "Run command 'Set-AzureRmStorageAccount -Name '<StorageAccountName>' -ResourceGroupName '<RGName>' -EnableEncryptionService 'Blob''. Run 'Get-Help Set-AzureRmStorageAccount -full' for more help.", "Tags": [ "SDL", "TCP", "Automated", "DP" ], "Enabled": true }, { "ControlID": "Azure_Storage_Audit_AuthN_Requests", "Description": "Storage Account must be configured to log and monitor authentication request data", "Id": "AzureStorage150", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckStorageEnableDiagnosticsLog", "Recommendation": "Run command 'Set-AzureStorageServiceLoggingProperty -ServiceType '<Blob/Queue/Table>' -LoggingOperations 'All' -Context '<StorageContext>' -RetentionDays '365' -PassThru'. Run 'Get-Help Set-AzureStorageServiceLoggingProperty -full' for more help. Set-AzureStorageServiceMetricsProperty -MetricsType 'Hour' -ServiceType '<Blob/Queue/Table/File>' -Context '<StorageContext>' -MetricsLevel 'ServiceAndApi' -RetentionDays '365' -PassThru. Run 'Get-Help Set-AzureStorageServiceMetricsProperty -full' for more help.", "Tags": [ "SDL", "TCP", "Automated", "Audit", "OwnerAccess" ], "Enabled": true }, { "ControlID": "Azure_Storage_DP_Encrypt_In_Transit", "Description": "HTTPS protocol must be used for accessing Storage Account resources", "Id": "AzureStorage160", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "An HTTPS-based connection can be established using either a SAS token or a connection string. Refer: https://docs.microsoft.com/en-us/azure/storage/storage-dotnet-shared-access-signature-part-1 (for SAS token) and https://docs.microsoft.com/en-us/azure/storage/storage-configure-connection-string (for connection string).", "Tags": [ "SDL", "TCP", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_Storage_AuthZ_Use_IP_ACL", "Description": "Use IP-restrictions in SAS tokens to only permit access from intended IP addresses", "Id": "AzureStorage180", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Restrict storage SAS tokens to specific IP addresses/ranges where possible. Refer: https://docs.microsoft.com/en-us/azure/storage/storage-dotnet-shared-access-signature-part-1.", "Tags": [ "SDL", "TCP", "Manual", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_Storage_AuthZ_Clients_Use_SAS", "Description": "End user/client apps should access Storage Account through SAS token only", "Id": "AzureStorage190", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "Do not use Storage Account key directly in such apps. Use a SAS token to limited access based on scope, duration, IPs, etc. Refer: https://docs.microsoft.com/en-us/azure/storage/storage-dotnet-shared-access-signature-part-1.", "Tags": [ "SDL", "Best Practice", "Manual", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_Storage_DP_Rotate_Keys", "Description": "Storage Account keys must be rotated periodically", "Id": "AzureStorage200", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Rotate storage account keys on a periodic basis. To generated a new key, run command 'New-AzureRmStorageAccountKey -KeyName '<key1/key2>' -Name '<StorageAccountName>' -ResourceGroupName '<RGName>'. Deploy the new key or derived SAS tokens to various clients as appropriate. Run 'Get-Help New-AzureRmStorageAccountKey -full' for more help.", "Tags": [ "SDL", "TCP", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_Storage_AuthZ_Allow_Limited_Access_to_Services", "Description": "Use Stored Access Policies with least privileges needed to access services in the Storage Account.", "Id": "AzureStorage210", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "Create a SAS token with Stored Access Policy for service access using the minimal required privileges. Refer: https://docs.microsoft.com/en-us/azure/storage/storage-dotnet-shared-access-signature-part-1#controlling-a-sas-with-a-stored-access-policy.", "Tags": [ "SDL", "TCP", "Manual", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_Storage_DP_Encrypt_At_Rest_Table", "Description": "Sensitive data in Storage Table must be encrypted at rest", "Id": "AzureStorage220", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "Enable client-side encryption when using Tables. Refer: https://docs.microsoft.com/en-us/azure/storage/storage-client-side-encryption.", "Tags": [ "SDL", "TCP", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_Storage_DP_Encrypt_At_Rest_Queue", "Description": "Sensitive data in Storage Queue must be encrypted at rest", "Id": "AzureStorage230", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "Enable client-side encryption when using Queues. Refer: https://docs.microsoft.com/en-us/azure/storage/storage-client-side-encryption.", "Tags": [ "SDL", "TCP", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_Storage_DP_Encrypt_At_Rest_File", "Description": "Sensitive data in Storage File must be encrypted at rest", "Id": "AzureStorage240", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "Run command 'Set-AzureRmStorageAccount -Name '<StorageAccountName>' -ResourceGroupName '<RGName>' -EnableEncryptionService 'File''. Run 'Get-Help Set-AzureRmStorageAccount -full' for more help.", "Tags": [ "SDL", "TCP", "Manual", "DP" ], "Enabled": true } ] } |