Benchmark: 3 Storage Accounts
Overview
This section covers security recommendations to follow to set storage account policies on an Azure Subscription. An Azure storage account provides a unique namespace to store and access Azure Storage data objects.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-azure-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 3 Storage Accounts.
Run this benchmark in your terminal:
powerpipe benchmark run azure_compliance.benchmark.cis_v140_3Snapshot and share results via Turbot Pipes:
powerpipe benchmark run azure_compliance.benchmark.cis_v140_3 --shareControls
- 3.1 Ensure that 'Secure transfer required' is set to 'Enabled'
- 3.2 Ensure that storage account access keys are periodically regenerated
- 3.3 Ensure Storage logging is enabled for Queue service for 'Read', 'Write', and 'Delete' requests
- 3.4 Ensure that shared access signature tokens expire within an hour
- 3.5 Ensure that 'Public access level' is set to Private for blob containers
- 3.6 Ensure default network access rule for Storage Accounts is set to deny
- 3.7 Ensure 'Trusted Microsoft Services' is enabled for Storage Account access
- 3.8 Ensure soft delete is enabled for Azure Storage
- 3.9 Ensure storage for critical data are encrypted with Customer Managed Key
- 3.10 Ensure Storage logging is enabled for Blob service for 'Read', 'Write', and 'Delete' requests
- 3.11 Ensure Storage logging is enabled for Table service for 'Read', 'Write', and 'Delete' requests
- 3.12 Ensure the 'Minimum TLS version' is set to 'Version 1.2'