Benchmark: Storage
Description
This section contains recommendations for configuring Storage resources.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-azure-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select Storage.
Run this benchmark in your terminal:
powerpipe benchmark run azure_compliance.benchmark.all_controls_storageSnapshot and share results via Turbot Pipes:
powerpipe benchmark run azure_compliance.benchmark.all_controls_storage --shareControls
- Ensure that 'Public access level' is set to Private for blob containers
- Ensure Storage logging is enabled for Blob service for read, write, and delete requests
- Storage account public access should be disallowed
- Storage account containing VHD OS disk not encrypted with CMK
- Storage accounts should restrict network access
- Storage accounts should use customer-managed key for encryption
- Storage account encryption scopes should use customer-managed keys to encrypt data at rest
- Geo-redundant storage should be enabled for Storage Accounts
- Storage accounts should have infrastructure encryption
- Storage account logging (Classic Diagnostic Setting) for blobs should be enabled
- Storage account logging (Classic Diagnostic Setting) for queues should be enabled
- Storage account logging (Classic Diagnostic Setting) for tables should be enabled
- Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'
- Ensure Storage logging is enabled for Queue service for read, write, and delete requests
- Storage accounts should restrict network access using virtual network rules
- Secure transfer to storage accounts should be enabled
- Ensure soft delete is enabled for Azure Storage
- Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' requests
- Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access
- Storage Accounts should use a virtual network service endpoint
- Storage accounts should be migrated to new Azure Resource Manager resources
- Storage accounts should use private link