Control: 10.3.1.3 Ensure 'Allow storage account key access' for Azure Storage Accounts is 'Disabled'
Description
Every secure request to an Azure Storage account must be authorized. By default, requests can be authorized with either Microsoft Entra credentials or by using the account access key for Shared Key authorization.
Microsoft Entra ID provides superior security and ease of use compared to Shared Key and is recommended by Microsoft. To require clients to use Microsoft Entra ID for authorizing requests, you can disallow requests to the storage account that are authorized with Shared Key.
Remediation
From Azure Portal
- Go to
Storage accounts. - Click on a storage account.
- Under
Settings, clickConfiguration. - Under
Allow storage account key access, click the radio button next toDisabled. - Click
Save. - Repeat steps 1-5 for each storage account requiring remediation.
From Azure CLI
For each storage account requiring remediation, run the following command to disallow shared key authorization:
az storage account update --resource-group <resource-group> --name <storage-account> --allow-shared-key-access false
From PowerShell
For each storage account requiring remediation, run the following command to disallow shared key authorization:
Set-AzStorageAccount -ResourceGroupName <resource-group> -Name <storage-account> -AllowSharedKeyAccess $false
Default Value
The AllowSharedKeyAccess property of a storage account is not set by default and does not return a value until you explicitly set it. The storage account permits requests that are authorized with the Shared Key when the property value is null or when it is true.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v400_10_3_1_3Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v400_10_3_1_3 --shareSQL
This control uses a named query:
select sa.id as resource, case when allow_shared_key_access then 'alarm' else 'ok' end as status, case when allow_shared_key_access then sa.name || ' shared key access is enabled.' else sa.name || ' shared key access is disabled.' end as reason , sa.resource_group as resource_group , sub.display_name as subscriptionfrom azure_storage_account sa, azure_subscription subwhere sub.subscription_id = sa.subscription_id;