Benchmark: Storage
Description
This section contains recommendations for configuring Storage resources.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-azure-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select Storage.
Run this benchmark in your terminal:
powerpipe benchmark run azure_compliance.benchmark.all_controls_storage
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run azure_compliance.benchmark.all_controls_storage --share
Controls
- Ensure Soft Delete is Enabled for Azure Containers and Blob Storage
- Ensure that 'Public access level' is set to Private for blob containers
- Ensure that 'Allow Blob Anonymous Access' is set to 'Disabled' for storage accounts
- Ensure classic logging is enabled for Azure Blob service
- Ensure Storage logging is enabled for Blob service for read, write, and delete requests
- Soft delete for blobs should be enabled
- Blob versioning should be enabled for storage accounts
- Storage account public access should be disallowed
- Storage account containing VHD OS disk not encrypted with CMK
- Cross tenant replication should be disabled for storage accounts
- Default network access rule for storage accounts should be set to deny
- Storage accounts should restrict network access
- Default to Microsoft Entra authorization should be enabled for storage accounts
- Storage accounts should use customer-managed key for encryption
- Storage accounts should use Microsoft-managed key for encryption
- Storage account encryption scopes should use customer-managed keys to encrypt data at rest
- Ensure 'SMB channel encryption' is set to 'AES-256-GCM' or higher for SMB file shares
- Ensure 'SMB protocol version' is set to 'SMB 3.1.1' or higher for SMB file shares
- Soft delete for Azure File Shares should be enabled
- Geo-redundant storage should be enabled for Storage Accounts
- Storage accounts should have infrastructure encryption
- Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
- Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'
- Public network access should be disabled for storage accounts
- Ensure classic logging is enabled for Azure Queue service
- Ensure Storage logging is enabled for Queue service for read, write, and delete requests
- Storage accounts should restrict network access using virtual network rules
- Secure transfer to storage accounts should be enabled
- Shared key access should be disabled for storage accounts
- Ensure soft delete is enabled for Azure Storage
- Ensure classic logging is enabled for Azure Table service
- Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' requests
- Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access
- Storage Accounts should use a virtual network service endpoint
- Storage accounts should be migrated to new Azure Resource Manager resources
- Storage accounts should use private link