module/ConfigurationProvider/ControlConfigurations/Services/Storage.json
|
{
"FeatureName": "Storage", "Reference": "aka.ms/azsktcp/storage", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_Storage_AuthN_Dont_Allow_Anonymous", "Description": "The Access Type for containers must not be set to 'Anonymous'", "Id": "AzureStorage110", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckStorageContainerPublicAccessTurnOff", "DisplayName": "Ensure secure access to storage account containers", "Category": "Authentication must be enabled on all user accounts and services", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "Data in containers that have anonymous access can be downloaded by anyone on the internet without authentication. This can lead to a compromise of corporate data.", "Recommendation": "Navigate to your storage account in the Azure portal --> Locate the Configuration setting under Settings --> Set Allow Blob anonymous access to Disabled. (For steps to remediate this using PowerShell/Azure CLI, please refer: https://learn.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent?tabs=portal#set-the-storage-accounts-allowblobpublicaccess-property-to-false)", "Tags": [ "SDL", "TCP", "Automated", "AuthN", "Baseline", "Daily", "CSEOPilotP3", "CSEOPilotSub" ], "Enabled": true, "FixControl": { "FixMethodName": "DisableAnonymousAccessOnContainers", "FixControlImpact": "High" }, "ControlScanSource": "MDCandReader", "AssessmentProperties": { "AssessmentNames": [ "51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "CustomTags": [ "StandardSku", "PremiumSku", "GeneralPurposeStorage", "BlobStorage", "HNSDisabled", "ResourceLocked", "TenantBaseline", "CSEOBaseline", "MSD", "Prod", "CSEOPilot", "P1", "Wave2", "EDPreview", "SMTPreview", "SN:Sec_keys", "WEBXTWave1", "WEBXTPreview", "EPSFWave1", "EPSFPreview" ] }, { "ControlID": "Azure_Storage_DP_Encrypt_In_Transit", "Description": "HTTPS protocol must be used for accessing Storage Account resources", "Id": "AzureStorage160", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckStorageEncryptionInTransit", "Rationale": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer man-in-the-middle, eavesdropping, session-hijacking attacks. When enabling HTTPS, one must remember to simultaneously disable access over plain HTTP else data can still be subject to compromise over clear text connections.", "Recommendation": "Refer https://docs.microsoft.com/en-us/azure/storage/common/storage-require-secure-transfer for instructions to enable secure transfer for storage accounts. For remediation using PowerShell commands, run command: 'Set-AzStorageAccount -ResourceGroupName <RGName> -Name <StorageAccountName> -EnableHttpsTrafficOnly $true'. Run 'Get-Help Set-AzStorageAccount -full' for more help.", "DisplayName": "Enable Secure transfer to storage accounts", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Tags": [ "SDL", "TCP", "Automated", "DP", "PremiumFileShareStorage", "Baseline", "Daily", "CSEOPilotSub" ], "PolicyDefinitionGuid": "404c3081-a854-4457-ae30-26a93ef643f9", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9", "Enabled": true, "ControlScanSource": "MDCandReader", "AssessmentProperties": { "AssessmentNames": [ "1c5de8e1-f68d-6a17-e0d2-ec259c42768c" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "EffectiveVerificationResult": "Failed", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "ControlEvaluationDetails": { "RequiredProperties": [ "HttpsEnabled", "FileShares" ] }, "CustomTags": [ "StandardSku", "PremiumSku", "GeneralPurposeStorage", "BlobStorage", "TenantBaseline", "CSEOBaseline", "MSD", "Prod", "P2", "CSEOPilot", "Wave6", "EDPreview", "SMTPreview", "SN:Sec_transport", "WEBXTWave1", "WEBXTPreview", "EPSFWave1", "EPSFPreview" ] }, { "ControlID": "Azure_Storage_NetSec_Restrict_Network_Access", "Description": "Ensure that Firewall and Virtual Network access is granted to a minimal set of trusted origins", "Id": "AzureStorage260", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckStorageNetworkAccess", "DisplayName": "Ensure that Firewall and Virtual Network access is granted to a minimal set of trusted origins", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "AssessmentName": "45d313c3-3fca-5040-035f-d61928366d31", "ControlScanSource": "MDCorReader", "AssessmentProperties": { "AssessmentNames": [ "45d313c3-3fca-5040-035f-d61928366d31" ] }, "Rationale": "Restricting access using firewall/virtual network config reduces network exposure of a storage account by limiting access only to expected range/set of clients. Note that this depends on the overall service architecture and may not be possible to implement in all scenarios.", "Recommendation": "Go to Azure Portal --> your Storage service --> Settings --> Firewalls and virtual networks --> Selected Network. Provide the specific IP address and Virtual Network details that should be allowed to access storage account.", "Tags": [ "SDL", "TCP", "Automated", "NetSec", "Baseline", "Weekly" ], "Enabled": true, "CustomTags": [ "StandardSku", "GeneralPurposeStorage", "BlobStorage", "PremiumSku" ] }, { "ControlID": "Azure_Storage_DP_Use_Secure_TLS_Version", "Description": "Use approved version of TLS for Azure Storage", "Id": "AzureStorage300", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckStorageTLSVersion", "DisplayName": "Use approved version of TLS for Azure Storage", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "TLS provides privacy and data integrity between client and server. Using approved TLS version significantly reduces risks from security design issues and security bugs that may be present in older versions.", "Recommendation": "To Configure 'Minimum TLS Version' setting for Azure Storage Account, go to Azure Portal --> Storage Accounts --> Settings --> Configuration --> Minimum TLS Version option --> Set the Minimum TLS Version to latest version --> Click 'Save'. Refer: https://docs.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version?tabs=powershell#configure-the-minimum-tls-version-for-a-storage-account", "Tags": [ "SDL", "TCP", "Automated", "DP", "Baseline" ], "Enabled": true, "ControlSettings": { "MinReqTLSVersion": "1.2" }, "CustomTags": [ "StandardSku", "PremiumSku", "GeneralPurposeStorage", "BlobStorage", "SN:STORAGE_TLS", "TBv8", "TenantBaseline", "Preview", "MSD", "Daily", "CAIPreview", "EDPreview", "SMTPreview", "CAIWave1" ] }, { "ControlID": "Azure_Storage_AuthZ_Set_SAS_Expiry_Interval", "Description": "Shared Access Signature (SAS) expiry interval must be less than approved upper limit for Azure Storage", "Id": "AzureStorage320", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckStorageSASExpirationPeriod", "DisplayName": "Shared Access Signature (SAS) expiry interval must be less than approved upper limit for Azure Storage", "Category": "Authentication must be enabled on all user accounts and services", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Recommendation": "To Set 'SAS Expiry Interval' for Azure Storage, go to Azure Portal --> Your Storage Service --> Configuration --> Enable upper limit for SAS Expiry Interval, if not enabled --> Set the SAS Expiry Interval such that it is less than the approved upper limit. Refer: https://learn.microsoft.com/en-us/azure/storage/common/sas-expiration-policy?tabs=azure-portal#configure-a-sas-expiration-policy", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "Baseline" ], "Enabled": true, "Rationale": "Shared Access Signature (SAS) is used to provide secure delegate access to resources in storage account. Setting SAS expiry interval to less than approved upper limit mitigates the risk of providing access to resources in storage account for a large amount of time.", "ControlSettings": { "SASExpirationPeriod": "7.00:00:00" }, "CustomTags": [ "StandardSku", "PremiumSku", "GeneralPurposeStorage", "BlobStorage", "Weekly" ] }, { "ControlID": "Azure_Storage_NetSec_Restrict_Network_Access_MCSB", "Description": "[MCSB] Ensure that Firewall and Virtual Network access is granted to a minimal set of trusted origins", "Id": "AzureStorage330", "ControlSeverity": "Medium", "Automated": "Yes", "DisplayName": "[MCSB] Ensure that Firewall and Virtual Network access is granted to a minimal set of trusted origins", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "ControlScanSource": "MDC", "AssessmentProperties": { "AssessmentNames": [ "45d313c3-3fca-5040-035f-d61928366d31" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Rationale": "Restricting access using firewall/virtual network config reduces network exposure of a storage account by limiting access only to expected range/set of clients. Note that this depends on the overall service architecture and may not be possible to implement in all scenarios.", "Recommendation": "Go to Azure Portal --> your Storage service --> Settings --> Firewalls and virtual networks --> Selected Network. Provide the specific IP address and Virtual Network details that should be allowed to access storage account.", "Tags": [ "SDL", "TCP", "Automated", "NetSec", "Baseline" ], "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_Storage_AuthN_Dont_Allow_Anonymous_MCSB", "Description": "[MCSB] The Access Type for containers must not be set to 'Anonymous'", "Id": "AzureStorage340", "ControlSeverity": "High", "Automated": "Yes", "DisplayName": "[MCSB] Ensure secure access to storage account containers", "Category": "Authentication must be enabled on all user accounts and services", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "Data in containers that have anonymous access can be downloaded by anyone on the internet without authentication. This can lead to a compromise of corporate data.", "Recommendation": "Navigate to your storage account in the Azure portal --> Locate the Configuration setting under Settings --> Set Allow Blob anonymous access to Disabled. (For steps to remediate this using PowerShell/Azure CLI, please refer: https://learn.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent?tabs=portal#set-the-storage-accounts-allowblobpublicaccess-property-to-false)", "Tags": [ "SDL", "TCP", "Automated", "AuthN", "Baseline" ], "ControlScanSource": "MDC", "AssessmentProperties": { "AssessmentNames": [ "51fd8bb1-0db4-bbf1-7e2b-cfcba7eb66a6" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_Storage_DP_Encrypt_In_Transit_MCSB", "Description": "[MCSB] HTTPS protocol must be used for accessing Storage Account resources", "Id": "AzureStorage350", "ControlSeverity": "High", "Automated": "Yes", "Rationale": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer man-in-the-middle, eavesdropping, session-hijacking attacks. When enabling HTTPS, one must remember to simultaneously disable access over plain HTTP else data can still be subject to compromise over clear text connections.", "Recommendation": "Refer https://docs.microsoft.com/en-us/azure/storage/common/storage-require-secure-transfer for instructions to enable secure transfer for storage accounts. For remediation using PowerShell commands, run command: 'Set-AzStorageAccount -ResourceGroupName <RGName> -Name <StorageAccountName> -EnableHttpsTrafficOnly $true'. Run 'Get-Help Set-AzStorageAccount -full' for more help.", "DisplayName": "[MCSB] Enable Secure transfer to storage accounts", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Tags": [ "SDL", "TCP", "Automated", "DP", "Baseline" ], "ControlScanSource": "MDC", "AssessmentProperties": { "AssessmentNames": [ "1c5de8e1-f68d-6a17-e0d2-ec259c42768c" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "EffectiveVerificationResult": "Failed", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_Storage_NetSec_Avoid_IP_Based_Filtering_MCSB", "Description": "[MCSB] Network access should use Virtual Network Rules to restrict the Network Access.", "Id": "AzureStorage360", "ControlSeverity": "Medium", "Automated": "Yes", "DisplayName": "[MCSB] Network access should use Virtual Network Rules to restrict the Network Access.", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "Rationale": "Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.", "Recommendation": "Go to Azure portal --> your storage account --> Select 'Networking' --> Select 'Selected networks' --> Add a Virtual network under the 'Virtual networks' section. Do not add allowed IP ranges/ or addresses in the firewall. This is to prevent public IPs from accessing your storage account. For details, see: https://aka.ms/storagenetworksecurity.", "ControlScanSource": "MDC", "AssessmentProperties": { "AssessmentNames": [ "ad4f3ff1-30eb-5042-16ed-27198f640b8d" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Tags": [ "SDL", "TCP", "Automated", "NetSec", "Baseline" ], "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_Storage_Audit_Enable_Diagnostic_Settings", "Description": "Diagnostics logs must be enabled for Storage", "Id": "Storage370", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckStorageDiagnosticsSettings", "DisplayName": "Diagnostics logs must be enabled for Storage", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Logs should be retained for a long enough period so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. A period of 1 year is typical for several compliance requirements as well.", "Recommendation": "You can create or update the diagnostic settings from the Azure Portal by following the steps given here: https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=portal#create-diagnostic-settings.", "Tags": [ "SDL", "TCP", "Automated", "Audit", "Diagnostics", "Storage", "Baseline" ], "ControlEvaluationDetails": { "RequiredProperties": [ "StorageBlobDiagnosticSettings", "StorageQueueDiagnosticSettings", "StorageTableDiagnosticSettings", "StorageFileShareDiagnosticSettings" ] }, "Enabled": true, "ControlSettings": { "ExcludeADBStorageAccount": true, "ExcludePurviewStorageAccount": true, "DiagnosticForeverRetentionValue": "0", "DiagnosticMinRetentionPeriod": "90", "DiagnosticLogs": [ "StorageRead", "StorageWrite", "StorageDelete" ], "DiagnosticSettingsJSONPath": [ { "Name": "Blobs", "JSONPath": "AzStorageBlobDiagnosticSettings" }, { "Name": "Queues", "JSONPath": "AzStorageQueueDiagnosticSettings" }, { "Name": "Tables", "JSONPath": "AzStorageTableDiagnosticSettings" }, { "Name": "FileShares", "JSONPath": "AzStorageFileShareDiagnosticSettings" } ] }, "CustomTags": [ "Weekly" ] }, { "ControlID": "Azure_Storage_DP_Rotate_Access_Keys", "Description": "Azure Storage account access keys must be rotated on periodic basis", "Id": "AzureStorage380", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckStorageKeysRotationPeriod", "DisplayName": "Azure Storage account access keys must be rotated on periodic basis", "Category": "Security Hygiene best practices", "ControlRequirements": "Access keys must be rotated periodically to mitigate the risks arising due to key compromise to ensure the continued protection of sensitive data", "Rationale": "Rotating access keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used.", "Recommendation": "To Rotate 'Keys' for Azure Storage, Go to Azure Portal --> Your Storage Account --> Access keys --> choose the key you want to rotate and press Rotate Key. Refer: https://learn.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal", "Tags": [ "Automated", "Storage", "DP", "Baseline" ], "Enabled": true, "ControlSettings": { "RecommendedKeyRotationPeriodInDays": "365" }, "CustomTags": [ "Daily", "TenantBaseline", "MSD", "TBv10", "CAIPreview", "EDPreview", "SMTPreview", "SN:Storage_RotateKeys" ] }, { "ControlID": "Azure_Storage_DP_Enable_Secure_Transfer_MCSB", "Description": "[MCSB] Secure transfer to storage accounts should be enabled", "Id": "AzureStorage390", "ControlSeverity": "High", "ControlScanSource": "MDC", "Automated": "Yes", "DisplayName": "[MCSB] Secure transfer to storage accounts should be enabled", "Rationale": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer man-in-the-middle, eavesdropping, session-hijacking attacks.", "Recommendation": "To enable secure transfer in Storage Account through Azure Portal, go to Azure portal --> Your Storage Account --> Configuration --> Select 'Enabled' in Secure Transfer Required field or through PowerShell command: 'Set-AzStorageAccount -ResourceGroupName <RGName> -Name <StorageAccountName> -EnableHttpsTrafficOnly $true'. Refer: https://docs.microsoft.com/en-us/azure/storage/common/storage-require-secure-transfer", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Tags": [ "DP", "Storage", "Baseline" ], "AssessmentProperties": { "AssessmentNames": [ "cdc78c07-02b0-4af0-1cb2-cb7c672a8b0a" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_Storage_DP_Enable_Encryption_With_Customer_Managed_Keys_MCSB", "Description": "[MCSB] Storage accounts should use customer-managed key for encryption", "Id": "AzureStorage400", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Storage accounts should use customer-managed key for encryption", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "Data Encryption ensures that sensitive data is stored encrypted at rest. This minimizes the risk of data loss from physical theft and also helps meet regulatory compliance requirements. And by using a customer-managed key, you can supplement default encryption with an additional encryption layer.", "Recommendation": "To use customer managed keys in Azure Storage Accounts, please refer: https://learn.microsoft.com/en-us/azure/storage/common/customer-managed-keys-configure-existing-account?tabs=azure-portal", "Tags": [ "Storage", "Automated", "Baseline", "DP" ], "AssessmentProperties": { "AssessmentNames": [ "ca98bba7-719e-48ee-e193-0b76766cdb07" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_Storage_DP_Encrypt_In_Transit_KR51", "Description": "[KR51] Enable Secure transfer to storage accounts.", "Id": "AzureStorage410", "ControlSeverity": "Medium", "Automated": "Yes", "ControlScanSource": "Policy", "DisplayName": "[KR51] Enable Secure transfer to storage accounts.", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer man-in-the-middle, eavesdropping, session-hijacking attacks. When enabling HTTPS, one must remember to simultaneously disable access over plain HTTP else data can still be subject to compromise over clear text connections.", "Recommendation": "Refer https://docs.microsoft.com/en-us/azure/storage/common/storage-require-secure-transfer for instructions to enable secure transfer for storage accounts. For remediation using PowerShell commands, run command: 'Set-AzStorageAccount -ResourceGroupName <RGName> -Name <StorageAccountName> -EnableHttpsTrafficOnly $true'. Run 'Get-Help Set-AzStorageAccount -full' for more help.", "Tags": [ "Baseline", "Automated", "DP", "Storage" ], "CustomPolicyProperties": { "PolicyDefinitionandAssignmentIdMapping": [ { "PolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9", "AssignmentId": "" } ] }, "CustomDeploymentPolicyProperties": { "PolicyDefinitonMappings": [ { "EffectType": "Deny", "DefinitionType": "Definition", "DisplayName": "Secure transfer to storage accounts should be enabled", "Description": "Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.", "Id": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9" }, { "EffectType": "Dine", "DefinitionType": "Definition", "DisplayName": "Secure transfer to storage accounts should be enabled", "Description": "Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.", "Id": "/providers/Microsoft.Authorization/policyDefinitions/f81e3117-0093-4b17-8a60-82363134f0eb" } ] }, "Enabled": false, "CustomTags": [ "KR51", "Daily" ] }, { "ControlID": "Azure_Storage_AuthN_Dont_Allow_Anonymous_KR51", "Description": "[KR51] Ensure secure access to storage account containers.", "Id": "AzureStorage420", "ControlSeverity": "Medium", "Automated": "Yes", "ControlScanSource": "Policy", "DisplayName": "[KR51] Ensure secure access to storage account containers.", "Category": "Authentication must be enabled on all user accounts and services", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "Data in containers that have anonymous access can be downloaded by anyone on the internet without authentication. This can lead to a compromise of corporate data.", "Recommendation": "Navigate to your storage account in the Azure portal --> Locate the Configuration setting under Settings --> Set Allow Blob anonymous access to Disabled. (For steps to remediate this using PowerShell/Azure CLI, please refer: https://learn.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent?tabs=portal#set-the-storage-accounts-allowblobpublicaccess-property-to-false)", "Tags": [ "Baseline", "Automated", "AuthN", "Storage" ], "CustomPolicyProperties": { "PolicyDefinitionandAssignmentIdMapping": [ { "PolicyDefinitionId": "/providers/microsoft.authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751", "AssignmentId": "" } ] }, "CustomDeploymentPolicyProperties": { "PolicyDefinitonMappings": [ { "EffectType": "Deny", "DefinitionType": "Definition", "DisplayName": "Storage account public access should be disallowed", "Description": "Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data, but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.", "Id": "/providers/Microsoft.Authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751" }, { "EffectType": "Dine", "DefinitionType": "Definition", "DisplayName": "Storage account public access should be disallowed", "Description": "Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data, but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.", "Id": "/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b" } ] }, "Enabled": false, "CustomTags": [ "KR51", "Daily" ] }, { "ControlID": "Azure_Storage_AuthN_Disable_Key_Access", "Description": "Shared Key Access must be disabled for an Azure Storage account", "Id": "AzureStorage430", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckStorageAccountKeyAccess", "DisplayName": "Shared Key Access must be disabled for an Azure Storage account", "Category": "AAD Authentication must be enabled on all user accounts and services", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "Data in containers that have anonymous access can be downloaded by anyone on the internet without authentication. This can lead to a compromise of corporate data.", "Recommendation": "To remediate, disable shared key access on your storage account. Go to Azure Portal --> Your Storage Account --> Configuration --> Allow Storage Account Key Access --> Select on 'Disabled' --> Save", "Tags": [ "Storage", "AuthN", "Baseline" ], "Enabled": true, "ControlScanSource": "Reader", "CustomTags": [ "Weekly", "SN:Prevent_SharedKey_Authorization" ] }, { "ControlID": "Azure_Storage_BCDR_Configure_Required_Redundancy", "Description": "Data redundancy must be configured on storage account", "Id": "AzureStorage440", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckDataRedundancyConfiuration", "DisplayName": "Data redundancy must be configured on storage account", "Category": "Business Continuity and Disaster Recovery", "ControlRequirements": "Redundancy must be configured to build highly available, durable and resilient applications", "Rationale": "Redundancy helps with data replication across multiple locations, ensuring data availability, durability and resiliency against failures.", "Recommendation": "For remediating using powershell or azure cli follow this: https://learn.microsoft.com/en-us/azure/storage/common/redundancy-migration?tabs=portal#change-the-redundancy-configuration-using-azure-portal-powershell-or-azure-cli. Go to Azure Portal --> Your Storage Account --> Redundancy --> Switch to any of the recommended 'Redundancy' option --> Save", "ControlSettings": { "RecommendedSkuNamesBySkuTier": { "Standard": [ "Standard_GRS", "Standard_RAGRS", "Standard_GZRS", "Standard_RAGZRS", "StandardV2_GRS", "StandardV2_RAGRS", "StandardV2_GZRS", "StandardV2_RAGZRS" ], "Premium": [ "Premium_ZRS", "PremiumV2_ZRS" ] } }, "Tags": [ "Storage", "BCDR", "Best Practice", "Baseline" ], "Enabled": true, "ControlScanSource": "Reader", "CustomTags": [ "Weekly" ] } ] } |