Benchmark: Storage
Description
This benchmark provides a set of controls that detect Terraform Azure Storage resources deviating from security best practices.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-terraform-azure-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select Storage.
Run this benchmark in your terminal:
powerpipe benchmark run terraform_azure_compliance.benchmark.storageSnapshot and share results via Turbot Pipes:
powerpipe benchmark run terraform_azure_compliance.benchmark.storage --shareControls
- Ensure that 'Public access level' is set to Private for blob containers
- Ensure Storage logging is enabled for Blob service for read, write, and delete requests
- Storage account public access should be disallowed
- Storage accounts should restrict network access
- Storage accounts should use customer-managed key for encryption
- Storage account encryption scopes should use customer-managed keys to encrypt data at rest
- Storage accounts should have infrastructure encryption
- Ensure Storage logging is enabled for Queue service for read, write, and delete requests
- Storage accounts should have replication type set
- Storage accounts should restrict network access using virtual network rules
- Secure transfer to storage accounts should be enabled
- Ensure 'Trusted Microsoft Services' is enabled for Storage Account access
- Storage Accounts should use a virtual network service endpoint
- Storage accounts should be migrated to new Azure Resource Manager resources
- Storage accounts should use latest minimum TLS version
- Storage accounts should use private link
- Azure Defender for Storage should be enabled
- Storage container public access should be disabled