Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
15Dashboards
1471Benchmarks
461Queries
8Variables
GitHub

Control: 10.1.3 Ensure 'SMB channel encryption' is set to 'AES-256-GCM' or higher for SMB file shares

Description

Implement SMB channel encryption with AES-256-GCM for SMB file shares to ensure data confidentiality and integrity in transit. This method offers strong protection against eavesdropping and man-in-the-middle attacks, safeguarding sensitive information.

AES-256-GCM encryption enhances the security of data transmitted over SMB channels by safeguarding it from unauthorized interception and tampering.

Remediation

From Azure Portal

  1. Go to Storage accounts.
  2. Click the name of a storage account.
  3. Under Data storage, click File shares.
  4. Under File share settings, click the link next to Security.
  5. If Profile is set to Maximum compatibility, click the drop-down menu and select Maximum security or Custom.
  6. If selecting Custom, under SMB channel encryption, uncheck the boxes next to AES-128-CCM and AES-128-GCM.
  7. Click Save.
  8. Repeat steps 1-7 for each storage account requiring remediation.

From Azure CLI

For each storage account requiring remediation, run the following command to set the SMB channel encryption:

az storage account file-service-properties update --resource-group <resource-group> --account-name <storage-account> --channel-encryption AES-256-GCM

From PowerShell

For each storage account requiring remediation, run the following command to set the SMB channel encryption:

Update-AzStorageFileServiceProperty -ResourceGroupName <resource-group> -StorageAccountName <storage-account> -SmbChannelEncryption AES-256-GCM

Default Value

By default, the following SMB channel encryption algorithms are allowed:

  • AES-128-CCM
  • AES-128-GCM
  • AES-256-GCM.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v400_10_1_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v400_10_1_3 --share

SQL

This control uses a named query:

select
  sa.id as resource,
  case
    when f -> 'properties' -> 'protocolSettings' -> 'smb' ->> 'channelEncryption' = 'AES-256-GCM;' then 'ok'
    else 'alarm'
  end as status,
  case
    when f -> 'properties' -> 'protocolSettings' -> 'smb' ->> 'channelEncryption' = 'AES-256-GCM;' then sa.name || ' file share SMB channel encryption set to AES-256-GCM.'
    else sa.name || ' file share SMB channel encryption not set to AES-256-GCM.'
  end as reason
  
  , sa.resource_group as resource_group
  , sub.display_name as subscription
from
  azure_storage_account as sa,
  jsonb_array_elements(file_services) as f,
  azure_subscription as sub
where
  sub.subscription_id = sa.subscription_id;

Tags

category = Compliance
cis = true
cis_item_id = 10.1.3
cis_level = 1
cis_section_id = 10.1
cis_type = automated
cis_version = v4.0.0
plugin = azure
service = Azure/Storage