Framework/Configurations/SVT/Services/Storage.json
|
{
"FeatureName": "Storage", "Reference": "aka.ms/azsdkosstcp/storage", "IsManintenanceMode": false, "Controls": [ { "ControlID": "Azure_Storage_AuthN_Dont_Allow_Anonymous", "Description": "The Access Type for containers must NOT allow public access with anonymous authentication", "Id": "AzureStorage110", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckStorageContainerPublicAccessTurnOff", "Recommendation": "Run command 'Set-AzureStorageContainerAcl -Name '<ContainerName>' -Permission 'Off' -Context '<StorageContext>''. Run 'Get-Help Set-AzureStorageContainerAcl -full' to get the complete details about this command.", "Tags": [ "SDL", "TCP", "Automated", "AuthN", "OwnerAccess" ], "Enabled": true }, { "ControlID": "Azure_Storage_Audit_Issue_Alert_AuthN_Req", "Description": "Alerts must be issued for authentication request data", "Id": "AzureStorage120", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckStorageMetricAlert", "Recommendation": "Run command 'Add-AzureRmMetricAlertRule -MetricName 'AnonymousSuccess' -Operator 'GreaterThan' -Threshold '0' -TimeAggregationOperator 'Total' -WindowSize '01:00:00' -Actions '<New-AzureRmAlertRuleEmail -SendToServiceOwners>' -Name '<AlertName>' -ResourceGroup '<RGName>' -TargetResourceId '<TargetResourceId>' -Location '<Location>''. Run 'Get-Help Add-AzureRmMetricAlertRule -full' to get the complete details about this command.", "Tags": [ "SDL", "TCP", "Automated", "Audit" ], "Enabled": true }, { "ControlID": "Azure_Storage_Deploy_Use_Geo_Redundant", "Description": "Use geo-redundant storage accounts", "Id": "AzureStorage130", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckStorageGeoRedundantReplication", "Recommendation": "Run command 'Set-AzureRmStorageAccount -Name '<StorageAccountName>' -ResourceGroupName '<RGName>' -SkuName '<Standard_GRS/Standard_RAGRS>''. Run 'Get-Help Set-AzureRmStorageAccount -full' to get the complete details about this command.", "Tags": [ "SDL", "TCP", "Automated", "Deploy" ], "Enabled": true }, { "ControlID": "Azure_Storage_DP_Encrypt_At_Rest_Blob", "Description": "Sensitive data in Storage Blob must be encrypted at rest", "Id": "AzureStorage140", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckStorageBlobEncryptionEnabled", "Recommendation": "Run command 'Set-AzureRmStorageAccount -Name '<StorageAccountName>' -ResourceGroupName '<RGName>' -EnableEncryptionService 'Blob''. Run 'Get-Help Set-AzureRmStorageAccount -full' to get the complete details about this command.", "Tags": [ "SDL", "TCP", "Automated", "DP" ], "Enabled": true }, { "ControlID": "Azure_Storage_Audit_AuthN_Requests", "Description": "Storage Account must be configured to log and monitor authentication request data", "Id": "AzureStorage150", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckStorageEnableDiagnosticsLog", "Recommendation": "Run command 'Set-AzureStorageServiceLoggingProperty -ServiceType '<Blob/Queue/Table>' -LoggingOperations 'All' -Context '<StorageContext>' -RetentionDays '365' -PassThru'. Run 'Get-Help Set-AzureStorageServiceLoggingProperty -full' to get the complete details about this command. Set-AzureStorageServiceMetricsProperty -MetricsType 'Hour' -ServiceType '<Blob/Queue/Table/File>' -Context '<StorageContext>' -MetricsLevel 'ServiceAndApi' -RetentionDays '365' -PassThru. Run 'Get-Help Set-AzureStorageServiceMetricsProperty -full' to get the complete details about this command.", "Tags": [ "SDL", "TCP", "Automated", "Audit", "OwnerAccess" ], "Enabled": true }, { "ControlID": "Azure_Storage_DP_Encrypt_In_Transit", "Description": "HTTPS protocol must be used for accessing Storage Account resources", "Id": "AzureStorage160", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "Connection to Storage Account can be established using either SAS token or connection string. Refer https://docs.microsoft.com/en-us/azure/storage/storage-dotnet-shared-access-signature-part-1 to connect to Storage Account using HTTPS configured SAS token. Refer https://docs.microsoft.com/en-us/azure/storage/storage-configure-connection-string to connect to Storage Account using HTTPS configured connection string.", "Tags": [ "SDL", "TCP", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_Storage_AuthZ_Use_IP_ACL", "Description": "Storage Account must be ACL'd to only permit access from intended IP addresses", "Id": "AzureStorage180", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "IP address restriction can be configured on the SAS token used to connect to Storage Account. Refer https://docs.microsoft.com/en-us/azure/storage/storage-dotnet-shared-access-signature-part-1 for more details.", "Tags": [ "SDL", "TCP", "Manual", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_Storage_AuthZ_Clients_Use_SAS", "Description": "Client / End user apps should always access Storage Account through SAS token only", "Id": "AzureStorage190", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "SAS token provides limited access to the clients accessing Storage Account, without exposing the account key. Refer https://docs.microsoft.com/en-us/azure/storage/storage-dotnet-shared-access-signature-part-1 for details on creating SAS token.", "Tags": [ "SDL", "Best Practice", "Manual", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_Storage_DP_Rotate_Keys", "Description": "Storage Account keys must be rotated periodically", "Id": "AzureStorage200", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Run command 'New-AzureRmStorageAccountKey -KeyName '<key1/key2>' -Name '<StorageAccountName>' -ResourceGroupName '<RGName>' to regenerate the account keys. Run 'Get-Help New-AzureRmStorageAccountKey -full' to get the complete details about this command.", "Tags": [ "SDL", "TCP", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_Storage_AuthZ_Allow_Limited_Access_to_Services", "Description": "Service-level Shared Access Signatures (SAS) with Stored Access Policies must be used to grant limited access to services in the Storage Account.", "Id": "AzureStorage210", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "Refer https://docs.microsoft.com/en-us/azure/storage/storage-dotnet-shared-access-signature-part-1#controlling-a-sas-with-a-stored-access-policy for details on creating SAS token with Stored Access Policy", "Tags": [ "SDL", "TCP", "Manual", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_Storage_DP_Encrypt_At_Rest_Table", "Description": "Sensitive data in Storage Table must be encrypted at rest", "Id": "AzureStorage220", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "Refer https://docs.microsoft.com/en-us/azure/storage/storage-client-side-encryption for details on encrypting Storage Table content.", "Tags": [ "SDL", "TCP", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_Storage_DP_Encrypt_At_Rest_Queue", "Description": "Sensitive data in Storage Queue must be encrypted at rest", "Id": "AzureStorage230", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "Refer https://docs.microsoft.com/en-us/azure/storage/storage-client-side-encryption for details on encrypting Storage Queue content.", "Tags": [ "SDL", "TCP", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_Storage_DP_Encrypt_At_Rest_File", "Description": "Sensitive data in Storage File must be encrypted at rest", "Id": "AzureStorage240", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "Run command 'Set-AzureRmStorageAccount -Name '<StorageAccountName>' -ResourceGroupName '<RGName>' -EnableEncryptionService 'File''. Run 'Get-Help Set-AzureRmStorageAccount -full' to get the complete details about this command.", "Tags": [ "SDL", "TCP", "Manual", "DP" ], "Enabled": true } ] } |