Benchmark: 9.2 Azure Blob Storage
Azure Blob Storage
This section covers security best practice recommendations for Azure Blob Storage. Azure Blob Storage is a core storage service type for Azure Storage Accounts. Azure Data Lake services depend on the Azure Blob Service.
NOTE: If your organization is using Shared Access Signature (SAS) tokens, please review the CIS Microsoft Azure Storage Services Benchmark for best practice guidance on the configuration and use of those tokens.
Help us improve this Benchmark! If you notice a needed correction, want to provide feedback, or wish to contribute security best practice guidance please join our community and create a ticket, propose a change, or start a discussion so we can improve this guidance!
The CIS Microsoft Azure Community is here: https://workbench.cisecurity.org/communities/72.
Resources for Azure Blob Storage
Azure Product Page:
• https://azure.microsoft.com/en-us/products/storage/blobs/
Azure Blob Storage service overview:
• https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-overview
Microsoft Cloud Security Baseline for Storage:
• https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/storagesecurity-baseline
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-azure-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 9.2 Azure Blob Storage.
Run this benchmark in your terminal:
powerpipe benchmark run azure_compliance.benchmark.cis_v500_9_2Snapshot and share results via Turbot Pipes:
powerpipe benchmark run azure_compliance.benchmark.cis_v500_9_2 --shareControls
- 9.2.1 Ensure that soft delete for blobs on Azure Blob Storage storage accounts is Enabled
- 9.2.2 Ensure that soft delete for containers on Azure Blob Storage storage accounts is Enabled
- 9.2.3 Ensure 'Versioning' is set to 'Enabled' on Azure Blob Storage storage accounts