Storage - oWretch/policy GitHub Wiki
| Category | Policy | Platform | Landing Zones | Production | Decommissioned | Management | Corp | Connectivity | Sandbox | Identity |
|---|---|---|---|---|---|---|---|---|---|---|
| Storage |
Allowed Copy scope should be restricted for Storage Accounts Azure Storage accounts should restrict the allowed copy scope. Enforce this for increased data exfiltration protection. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Storage | **Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS ** Deploy a specific min TLS version requirement and enforce SSL on Azure Storage. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your Azure Storage. |
DeployIfNotExists Disabled |
||||||||
| Storage |
Configure a private DNS Zone ID for blob groupID Configure private DNS zone group to override the DNS resolution for a blob groupID private endpoint. |
DeployIfNotExists Disabled |
||||||||
| Storage |
Configure a private DNS Zone ID for blob_secondary groupID Configure private DNS zone group to override the DNS resolution for a blob_secondary groupID private endpoint. |
DeployIfNotExists Disabled |
||||||||
| Storage |
Configure a private DNS Zone ID for dfs groupID Configure private DNS zone group to override the DNS resolution for a dfs groupID private endpoint. |
DeployIfNotExists Disabled |
||||||||
| Storage |
Configure a private DNS Zone ID for dfs_secondary groupID Configure private DNS zone group to override the DNS resolution for a dfs_secondary groupID private endpoint. |
DeployIfNotExists Disabled |
||||||||
| Storage |
Configure a private DNS Zone ID for file groupID Configure private DNS zone group to override the DNS resolution for a file groupID private endpoint. |
DeployIfNotExists Disabled |
||||||||
| Storage |
Configure a private DNS Zone ID for queue groupID Configure private DNS zone group to override the DNS resolution for a queue groupID private endpoint. |
DeployIfNotExists Disabled |
||||||||
| Storage |
Configure a private DNS Zone ID for queue_secondary groupID Configure private DNS zone group to override the DNS resolution for a queue_secondary groupID private endpoint. |
DeployIfNotExists Disabled |
||||||||
| Storage |
Configure a private DNS Zone ID for table groupID Configure private DNS zone group to override the DNS resolution for a table groupID private endpoint. |
DeployIfNotExists Disabled |
||||||||
| Storage |
Configure a private DNS Zone ID for table_secondary groupID Configure private DNS zone group to override the DNS resolution for a table_secondary groupID private endpoint. |
DeployIfNotExists Disabled |
||||||||
| Storage |
Configure a private DNS Zone ID for web groupID Configure private DNS zone group to override the DNS resolution for a web groupID private endpoint. |
DeployIfNotExists Disabled |
||||||||
| Storage |
Configure a private DNS Zone ID for web_secondary groupID Configure private DNS zone group to override the DNS resolution for a web_secondary groupID private endpoint. |
DeployIfNotExists Disabled |
||||||||
| Storage |
Configure Azure File Sync to use private DNS zones To access the private endpoint(s) for Storage Sync Service resource interfaces from a registered server, you need to configure your DNS to resolve the correct names to your private endpoint's private IP addresses. This policy creates the requisite Azure Private DNS Zone and A records for the interfaces of your Storage Sync Service private endpoint(s). |
DeployIfNotExists Disabled |
||||||||
| Storage |
Configure storage accounts to disable public network access To improve the security of Storage Accounts, ensure that they aren't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/storageaccountpublicnetworkaccess. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |
Modify Disabled |
Modify Disabled |
|||||||
| Storage |
Configure your Storage account public access to be disallowed Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. |
Modify Disabled |
Modify Disabled |
|||||||
| Storage |
Deploy Defender for Storage (Classic) on storage accounts This policy enables Defender for Storage (Classic) on storage accounts. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
|||||||
| Storage |
Deploy SA Availability Alert Policy to audit/deploy SA Availability Alert |
deployIfNotExists disabled |
deployIfNotExists disabled |
deployIfNotExists disabled |
||||||
| Storage |
Encryption for storage services should be enforced for Storage Accounts Azure Storage accounts should enforce encryption for all storage services. Enforce this for increased encryption scope. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Storage |
Local users should be restricted for Storage Accounts Azure Storage accounts should disable local users for features like SFTP. Enforce this for increased data exfiltration protection. |
Disabled Deny Audit |
Disabled Deny Audit |
|||||||
| Storage |
Modify - Configure Azure File Sync to disable public network access The Azure File Sync's internet-accessible public endpoint are disabled by your organizational policy. You may still access the Storage Sync Service via its private endpoint(s). |
Modify Disabled |
Modify Disabled |
|||||||
| Storage |
Network ACL bypass option should be restricted for Storage Accounts Azure Storage accounts should restrict the bypass option for service-level network ACLs. Enforce this for increased data exfiltration protection. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Storage |
Public network access should be disabled for Azure File Sync Disabling the public endpoint allows you to restrict access to your Storage Sync Service resource to requests destined to approved private endpoints on your organization's network. There is nothing inherently insecure about allowing requests to the public endpoint, however, you may wish to disable it to meet regulatory, legal, or organizational policy requirements. You can disable the public endpoint for a Storage Sync Service by setting the incomingTrafficPolicy of the resource to AllowVirtualNetworksOnly. |
Deny Disabled Audit |
||||||||
| Storage |
Queue Storage should use customer-managed key for encryption Secure your queue storage with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Storage |
Resource Access Rules resource IDs should be restricted for Storage Accounts Azure Storage accounts should restrict the resource access rule for service-level network ACLs to services from a specific Azure subscription. Enforce this for increased data exfiltration protection. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Storage |
Resource Access Rules Tenants should be restricted for Storage Accounts Azure Storage accounts should restrict the resource access rule for service-level network ACLs to service from the same AAD tenant. Enforce this for increased data exfiltration protection. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Storage |
Secure transfer to storage accounts should be enabled Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking |
Audit Deny Disabled |
||||||||
| Storage |
Storage account encryption scopes should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your storage account encryption scopes. Customer-managed keys enable the data to be encrypted with an Azure key-vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about storage account encryption scopes at https://aka.ms/encryption-scopes-overview. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Storage |
Storage account encryption scopes should use double encryption for data at rest Enable infrastructure encryption for encryption at rest of your storage account encryption scopes for added security. Infrastructure encryption ensures that your data is encrypted twice. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Storage |
Storage account keys should not be expired Ensure the user storage account keys are not expired when key expiration policy is set, for improving security of account keys by taking action when the keys are expired. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Storage |
Storage account public access should be disallowed Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. |
audit deny disabled |
Deny deny disabled audit |
|||||||
| Storage |
Storage accounts should be migrated to new Azure Resource Manager resources Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management |
Deny Disabled Audit |
Deny Disabled Audit |
Audit Deny Disabled |
||||||
| Storage |
Storage accounts should disable public network access To improve the security of Storage Accounts, ensure that they aren't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/storageaccountpublicnetworkaccess. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |
Deny Disabled Audit |
||||||||
| Storage |
Storage accounts should have infrastructure encryption Enable infrastructure encryption for higher level of assurance that the data is secure. When infrastructure encryption is enabled, data in a storage account is encrypted twice. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Storage |
Storage accounts should have the specified minimum TLS version Configure a minimum TLS version for secure communication between the client application and the storage account. To minimize security risk, the recommended minimum TLS version is the latest released version, which is currently TLS 1.2. |
Deny Disabled Audit |
||||||||
| Storage |
Storage accounts should prevent cross tenant object replication Audit restriction of object replication for your storage account. By default, users can configure object replication with a source storage account in one Azure AD tenant and a destination account in a different tenant. It is a security concern because customer's data can be replicated to a storage account that is owned by the customer. By setting allowCrossTenantReplication to false, objects replication can be configured only if both source and destination accounts are in the same Azure AD tenant. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Storage |
Storage accounts should prevent shared key access Audit requirement of Azure Active Directory (Azure AD) to authorize requests for your storage account. By default, requests can be authorized with either Azure Active Directory credentials, or by using the account access key for Shared Key authorization. Of these two types of authorization, Azure AD provides superior security and ease of use over Shared Key, and is recommended by Microsoft. |
Deny Disabled Audit |
Deny Disabled Audit |
Audit Deny Disabled |
||||||
| Storage |
Storage Accounts should restrict CORS rules Deny CORS rules for storage account for increased data exfiltration protection and endpoint protection. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Storage |
Storage accounts should restrict network access Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges |
Deny Disabled Audit |
Deny Disabled Audit |
Disabled Deny Audit |
||||||
| Storage |
Storage accounts should restrict network access using virtual network rules Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. |
Deny Disabled Audit |
Deny Disabled Audit |
Audit Deny Disabled |
||||||
| Storage |
Storage Accounts should use a container delete retention policy Enforce container delete retention policies larger than seven days for storage account. Enable this for increased data loss protection. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Storage |
Storage accounts should use customer-managed key for encryption Secure your blob and file storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. |
Audit Disabled |
Audit Disabled |
Disabled Audit |
||||||
| Storage |
Storage accounts should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview |
AuditIfNotExists Disabled |
||||||||
| Storage |
Storage Accounts with SFTP enabled should be denied This policy denies the creation of Storage Accounts with SFTP enabled for Blob Storage. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Storage |
Table Storage should use customer-managed key for encryption Secure your table storage with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Storage |
Virtual network rules should be restricted for Storage Accounts Azure Storage accounts should restrict the virtual network service-level network ACLs. Enforce this for increased data exfiltration protection. |
Deny Disabled Audit |
Deny Disabled Audit |
| Category | Policy | Platform | Landing Zones | Production | Decommissioned | Management | Corp | Connectivity | Sandbox | Identity |
|---|---|---|---|---|---|---|---|---|---|---|
| Storage |
Allowed Copy scope should be restricted for Storage Accounts Azure Storage accounts should restrict the allowed copy scope. Enforce this for increased data exfiltration protection. |
storageAccountsAllowedCopyScope = AAD
|
storageAccountsAllowedCopyScope = AAD
|
|||||||
| Storage | **Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS ** Deploy a specific min TLS version requirement and enforce SSL on Azure Storage. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your Azure Storage. |
StorageMinimumTlsVersion = TLS1_2
|
||||||||
| Storage |
Configure a private DNS Zone ID for blob groupID Configure private DNS zone group to override the DNS resolution for a blob groupID private endpoint. |
azureStorageBlobPrivateDnsZoneId = --DNSZonePrefix--privatelink.blob.core....
|
||||||||
| Storage |
Configure a private DNS Zone ID for blob_secondary groupID Configure private DNS zone group to override the DNS resolution for a blob_secondary groupID private endpoint. |
azureStorageBlobSecPrivateDnsZoneId = --DNSZonePrefix--privatelink.blob.core....
|
||||||||
| Storage |
Configure a private DNS Zone ID for dfs groupID Configure private DNS zone group to override the DNS resolution for a dfs groupID private endpoint. |
azureStorageDFSPrivateDnsZoneId = --DNSZonePrefix--privatelink.dfs.core.w...
|
||||||||
| Storage |
Configure a private DNS Zone ID for dfs_secondary groupID Configure private DNS zone group to override the DNS resolution for a dfs_secondary groupID private endpoint. |
azureStorageDFSSecPrivateDnsZoneId = --DNSZonePrefix--privatelink.dfs.core.w...
|
||||||||
| Storage |
Configure a private DNS Zone ID for file groupID Configure private DNS zone group to override the DNS resolution for a file groupID private endpoint. |
azureStorageFilePrivateDnsZoneId = --DNSZonePrefix--privatelink.file.core....
|
||||||||
| Storage |
Configure a private DNS Zone ID for queue groupID Configure private DNS zone group to override the DNS resolution for a queue groupID private endpoint. |
azureStorageQueuePrivateDnsZoneId = --DNSZonePrefix--privatelink.queue.core...
|
||||||||
| Storage |
Configure a private DNS Zone ID for queue_secondary groupID Configure private DNS zone group to override the DNS resolution for a queue_secondary groupID private endpoint. |
azureStorageQueueSecPrivateDnsZoneId = --DNSZonePrefix--privatelink.queue.core...
|
||||||||
| Storage |
Configure a private DNS Zone ID for table groupID Configure private DNS zone group to override the DNS resolution for a table groupID private endpoint. |
azureStorageTablePrivateDnsZoneId = --DNSZonePrefix--privatelink.table.core...
|
||||||||
| Storage |
Configure a private DNS Zone ID for table_secondary groupID Configure private DNS zone group to override the DNS resolution for a table_secondary groupID private endpoint. |
azureStorageTableSecondaryPrivateDnsZoneId = --DNSZonePrefix--privatelink.table.core...
|
||||||||
| Storage |
Configure a private DNS Zone ID for web groupID Configure private DNS zone group to override the DNS resolution for a web groupID private endpoint. |
azureStorageStaticWebPrivateDnsZoneId = --DNSZonePrefix--privatelink.web.core.w...
|
||||||||
| Storage |
Configure a private DNS Zone ID for web_secondary groupID Configure private DNS zone group to override the DNS resolution for a web_secondary groupID private endpoint. |
azureStorageStaticWebSecPrivateDnsZoneId = --DNSZonePrefix--privatelink.web.core.w...
|
||||||||
| Storage |
Configure Azure File Sync to use private DNS zones To access the private endpoint(s) for Storage Sync Service resource interfaces from a registered server, you need to configure your DNS to resolve the correct names to your private endpoint's private IP addresses. This policy creates the requisite Azure Private DNS Zone and A records for the interfaces of your Storage Sync Service private endpoint(s). |
azureFilePrivateDnsZoneId = --DNSZonePrefix--privatelink.afs.azure.net
|
||||||||
| Storage |
Deploy SA Availability Alert Policy to audit/deploy SA Availability Alert |
StorageAccountAvailabilityAlertState = trueStorageAccountAvailabilityWindowSize = PT5MStorageAccountAvailabilityAlertSeverity = 1StorageAccountAvailabilityFrequency = PT5MStorageAccountAvailabilityThreshold = 90
|
StorageAccountAvailabilityAlertState = trueStorageAccountAvailabilityWindowSize = PT5MStorageAccountAvailabilityAlertSeverity = 1StorageAccountAvailabilityFrequency = PT5MStorageAccountAvailabilityThreshold = 90
|
StorageAccountAvailabilityAlertState = trueStorageAccountAvailabilityWindowSize = PT5MStorageAccountAvailabilityAlertSeverity = 1StorageAccountAvailabilityFrequency = PT5MStorageAccountAvailabilityThreshold = 90
|
||||||
| Storage |
Network ACL bypass option should be restricted for Storage Accounts Azure Storage accounts should restrict the bypass option for service-level network ACLs. Enforce this for increased data exfiltration protection. |
storageAllowedNetworkAclsBypass = ["None"]
|
storageAllowedNetworkAclsBypass = ["None"]
|
|||||||
| Storage |
Storage Accounts should use a container delete retention policy Enforce container delete retention policies larger than seven days for storage account. Enable this for increased data loss protection. |
storageMinContainerDeleteRetentionInDays = 7
|
storageMinContainerDeleteRetentionInDays = 7
|