Benchmark: 4 Storage Accounts
Overview
This section covers security recommendations to follow to set storage account policies on an Azure Subscription. An Azure storage account provides a unique namespace to store and access Azure Storage data objects.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-azure-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 4 Storage Accounts.
Run this benchmark in your terminal:
powerpipe benchmark run azure_compliance.benchmark.cis_v300_4Snapshot and share results via Turbot Pipes:
powerpipe benchmark run azure_compliance.benchmark.cis_v300_4 --shareControls
- 4.1 Ensure that 'Secure transfer required' is set to 'Enabled'
- 4.2 Ensure that 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage is Set to 'enabled'
- 4.3 Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
- 4.4 Ensure that Storage Account Access Keys are Periodically Regenerated
- 4.5 Ensure that Shared Access Signature Tokens Expire Within an Hour
- 4.6 Ensure that 'Public Network Access' is `Disabled' for storage accounts
- 4.7 Ensure Default Network Access Rule for Storage Accounts is Set to Deny
- 4.8 Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access
- 4.9 Ensure Private Endpoints are used to access Storage Accounts
- 4.10 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage
- 4.11 Ensure Storage for Critical Data are Encrypted with Customer Managed Keys
- 4.12 Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests
- 4.13 Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests
- 4.14 Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests
- 4.15 Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'
- 4.16 Ensure 'Cross Tenant Replication' is not enabled
- 4.17 Ensure that `Allow Blob Anonymous Access` is set to `Disabled`