Governance Policies Azure Storage Storage Account - Azure/az-prototype GitHub Wiki
Governance policies for Storage Account
Domain: azure-storage
| Name | Description |
|---|---|
| Storage account with security baseline | Complete storage deployment with RBAC, private endpoint, blob versioning, diagnostics, and role assignment |
| Description | Instead |
|---|---|
| Do not use shared key or account key for application access | Use managed identity with Storage Blob Data Contributor role |
| Do not enable public blob access for internal data | Disable public access and use private endpoints with managed identity |
| Do not use SAS tokens for long-lived access | Use managed identity RBAC for application access; use user delegation SAS only for short-lived anonymous access |
- Storage security recommendations
- Storage account overview
- Storage private endpoints
- WAF: Azure Blob Storage service guide
- Blob data protection overview
- Immutable storage for blobs
| Check | Severity | Description |
|---|---|---|
| AZ-ST-001 | Required | Create Storage Account with shared key disabled, public blob access disabled, TLS 1.2, HTTPS-only, and public network access disabled |
| AZ-ST-002 | Recommended | Enable blob versioning and soft delete for data protection |
| AZ-ST-003 | Recommended | Enable diagnostic settings to Log Analytics workspace |
| AZ-ST-004 | Recommended | Configure lifecycle management policies for cost optimization |
| AZ-ST-005 | Recommended | Configure zone-redundant or geo-zone-redundant storage replication |
| AZ-ST-006 | Recommended | Enable point-in-time restore for block blob data protection |
| AZ-ST-007 | Recommended | Apply an Azure Resource Manager lock on the storage account |
| AZ-ST-008 | Recommended | Enable immutability policies for compliance-critical blob data |
Create Storage Account with shared key disabled, public blob access disabled, TLS 1.2, HTTPS-only, and public network access disabled
Severity: Required
Rationale: Shared keys grant full account access and cannot be scoped; public blob access risks data exposure; TLS 1.2 is the minimum secure transport
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Storage/storageAccounts
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Network/privateEndpoints | pe-storage-blob | Private endpoint for blob storage — required when publicNetworkAccess is Disabled |
| Microsoft.Network/privateDnsZones | privatelink.blob.core.windows.net | Private DNS zone for blob storage private endpoint resolution |
| Microsoft.Authorization/roleAssignments | Storage Blob Data Contributor | Storage Blob Data Contributor role (ba92f5b4-2d11-453d-a403-e96b0029c9fe) for application identity |
Enable blob versioning and soft delete for data protection
Severity: Recommended
Rationale: Allows recovery from accidental deletion or overwrites
Agents: cloud-architect, terraform-agent, bicep-agent
- Microsoft.Storage/storageAccounts
Enable diagnostic settings to Log Analytics workspace
Severity: Recommended
Rationale: Audit trail for storage access and performance monitoring
Agents: terraform-agent, bicep-agent, cloud-architect, monitoring-agent
- Microsoft.Storage/storageAccounts
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Insights/diagnosticSettings | diag-storage | Diagnostic settings for blob storage to Log Analytics |
Configure lifecycle management policies for cost optimization
Severity: Recommended
Rationale: Automatically tier or delete blobs based on age and access patterns
Agents: cloud-architect, terraform-agent, bicep-agent, cost-analyst
- Microsoft.Storage/storageAccounts
Configure zone-redundant or geo-zone-redundant storage replication
Severity: Recommended
Rationale: WAF Reliability: ZRS replicates across availability zones; GZRS adds cross-region protection for maximum durability and availability during outages
Agents: cloud-architect, terraform-agent, bicep-agent
- Microsoft.Storage/storageAccounts
Enable point-in-time restore for block blob data protection
Severity: Recommended
Rationale: WAF Reliability: Point-in-time restore protects against accidental blob deletion or corruption, allowing restoration of block blob data to an earlier state
Agents: cloud-architect, terraform-agent, bicep-agent
- Microsoft.Storage/storageAccounts
Apply an Azure Resource Manager lock on the storage account
Severity: Recommended
Rationale: WAF Security: Locking the account prevents accidental deletion and resulting data loss
Agents: cloud-architect, terraform-agent, bicep-agent
- Microsoft.Storage/storageAccounts
Enable immutability policies for compliance-critical blob data
Severity: Recommended
Rationale: WAF Security: Immutability policies protect blobs stored for legal, compliance, or other business purposes from being modified or deleted
Agents: cloud-architect, terraform-agent, bicep-agent, security-reviewer
- Microsoft.Storage/storageAccounts