Benchmark: 3 Storage Accounts
Overview
This section covers security recommendations to follow to set storage account policies on an Azure Subscription. An Azure storage account provides a unique namespace to store and access Azure Storage data objects.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-azure-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 3 Storage Accounts.
Run this benchmark in your terminal:
powerpipe benchmark run azure_compliance.benchmark.cis_v210_3Snapshot and share results via Turbot Pipes:
powerpipe benchmark run azure_compliance.benchmark.cis_v210_3 --shareControls
- 3.1 Ensure that 'Secure transfer required' is set to 'Enabled'
- 3.2 Ensure that 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage is Set to 'enabled'
- 3.3 Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
- 3.4 Ensure that Storage Account Access Keys are Periodically Regenerated
- 3.5 Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests
- 3.6 Ensure that Shared Access Signature Tokens Expire Within an Hour
- 3.7 Ensure that 'Public Network Access' is `Disabled' for storage accounts
- 3.8 Ensure Default Network Access Rule for Storage Accounts is Set to Deny
- 3.9 Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access
- 3.10 Ensure Private Endpoints are used to access Storage Accounts
- 3.11 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage
- 3.12 Ensure Storage for Critical Data are Encrypted with Customer Managed Keys
- 3.13 Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests
- 3.14 Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests
- 3.15 Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'
- 3.16 Ensure 'Cross Tenant Replication' is not enabled
- 3.17 Ensure that `Allow Blob Anonymous Access` is set to `Disabled`