Benchmark: 10.1 Azure Files

Overview

This section covers security best practice recommendations for Azure Files.

Help us improve this Benchmark! If you notice a needed correction, want to provide feedback, or wish to contribute security best practice guidance please join our community and create a ticket, propose a change, or start a discussion so we can improve this guidance!

The CIS Microsoft Azure Community is here: https://workbench.cisecurity.org/communities/72

Resources for Azure Files

Azure Product Page:

• https://azure.microsoft.com/en-us/products/storage/files/

Azure Files service overview:

• https://learn.microsoft.com/en-us/azure/storage/files/storage-files-introduction

Microsoft Cloud Security Baseline for Azure File Sync:

• https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/azure-file-sync-security-baseline

Usage

Install the mod:

mkdir dashboards
cd dashboards
powerpipe mod init
powerpipe mod install github.com/turbot/steampipe-mod-azure-compliance

Start the Powerpipe server:

steampipe service start
powerpipe server

Open http://localhost:9033 in your browser and select 10.1 Azure Files.

Run this benchmark in your terminal:

powerpipe benchmark run azure_compliance.benchmark.cis_v400_10_1

Snapshot and share results via Turbot Pipes:

powerpipe benchmark run azure_compliance.benchmark.cis_v400_10_1 --share

Controls

• 10.1.1 Ensure soft delete for Azure File Shares is Enabled
• 10.1.2 Ensure 'SMB protocol version' is set to 'SMB 3.1.1' or higher for SMB file shares
• 10.1.3 Ensure 'SMB channel encryption' is set to 'AES-256-GCM' or higher for SMB file shares

Tags