Skip to main content

πŸ“ Azure Storage Account Private Endpoints are not used 🟒

  • Contextual name: πŸ“ Private Endpoints are not used 🟒
  • ID: /ce/ca/azure/storage/private-endpoints-used-to-access-storage
  • Located in: πŸ“ Azure Storage

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-a7d8f0e71

Logic​

Description​

Open File

Description​

Use private endpoints for your Azure Storage accounts to allow clients and services to securely access data located over a network via an encrypted Private Link. To do this, the private endpoint uses an IP address from the VNet for each service. Network traffic between disparate services securely traverses encrypted over the VNet. This VNet can also link addressing space, extending your network and accessing resources on it. Similarly, it can be a tunnel through public networks to connect remote infrastructures together. This creates further security through segmenting network traffic and preventing outside sources from accessing it.

Rationale​

Securing traffic between services through encryption protects the data from easy interception and reading.

Impact​

A Private Endpoint costs approximately US$7.30 per month. If an Azure Virtual Network is not implemented correctly, this may result in the loss of critical network traffic.

Audit​

From Azure Portal​
  1. Open the Storage Accounts blade.
  2. For each listed Storage Account, perform the following check.

... see more

Remediation​

Open File

Remediation​

From Azure Portal​

  1. Open the Storage Accounts blade.
  2. For each listed Storage Account, perform the following:
  3. Under the Security + networking heading, click on Networking.
  4. Click on the Private Endpoint Connections tab at the top of the networking window.
  5. Click the + Private endpoint button.
  6. In the 1 - Basics tab/step:
    • Enter a name that will be easily recognizable as associated with the Storage Account (Note: The "Network Interface Name" will be automatically completed, but you can customize it if needed.).
    • Ensure that the Region matches the region of the Storage Account.
    • Click Next.
  7. In the 2 - Resource tab/step:
    • Select the target sub-resource based on what type of storage resource is being made available.
    • Click Next.
  8. In the 3 - Virtual Network tab/step:
    • Select the Virtual network that your Storage Account will be connecting to.
    • Select the Subnet that your Storage Account will be connecting to.
    • (Optional) Select other network settings as appropriate for your environment.

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36f network design β€” to ensure authorised network traffic flows and to reduce the impact of security compromises;2829
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 45 An understanding of plausible worst case scenarios can help regulated entities identify and implement additional controls to prevent or reduce the impact of such scenarios. One example is malware that infects computers and encrypts data, both on the infected computer and any connected storage, including (corporate) networks and cloud storage. Such attacks reinforce the importance of protecting the backup environment in the event that the production environment is compromised. Common techniques to achieve this include network segmentation, highly restricted and segregated access controls and network traffic flow restrictions.3436
πŸ’Ό CIS Azure v2.1.0 β†’ πŸ’Ό 3.10 Ensure Private Endpoints are used to access Storage Accounts - Level 1 (Automated)1
πŸ’Ό CIS Azure v3.0.0 β†’ πŸ’Ό 4.9 Ensure Private Endpoints are used to access Storage Accounts (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Secure Access43
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4(21) Physical or Logical Separation of Information Flows (M)(H)1139
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-4(21) Physical or Logical Separation of Information Flows (M)(H)39
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows3539
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 1.2 Prevent access to the administrative interface from the internet3537