🛡️ Azure Storage Account Private Endpoints are not used🟢

• Contextual name: 🛡️ Private Endpoints are not used🟢
• ID: /ce/ca/azure/storage/private-endpoints-used-to-access-storage
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Azure Storage Account
  • 🔌 Azure Private Endpoint Connection - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Cloud Conformity: Private Endpoint in Use
• Internal: dec-x-a7d8f0e7

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-a7d8f0e7	1

Description

Open File

Description

Use private endpoints for your Azure Storage accounts to allow clients and services to securely access data located over a network via an encrypted Private Link. To do this, the private endpoint uses an IP address from the VNet for each service. Network traffic between disparate services securely traverses encrypted over the VNet. This VNet can also link addressing space, extending your network and accessing resources on it. Similarly, it can be a tunnel through public networks to connect remote infrastructures together. This creates further security through segmenting network traffic and preventing outside sources from accessing it.

Rationale

Securing traffic between services through encryption protects the data from easy interception and reading.

Impact

If an Azure Virtual Network is not implemented correctly, this may result in the loss of critical network traffic.

Private endpoints are charged per hour of use. Refer to https://azure.microsoft.com/en-us/pricing/details/private-link/ and https://azure.microsoft.com/en-us/pricing/calculator/ to estimate potential costs.

... see more

Remediation

Open File

Remediation

From Azure Portal

1. Open the Storage Accounts blade.
2. For each listed Storage Account, perform the following:
3. Under the Security + networking heading, click on Networking.
4. Click on the Private Endpoint Connections tab at the top of the networking window.
5. Click the + Private endpoint button.
6. In the 1 - Basics tab/step:
   • Enter a name that will be easily recognizable as associated with the Storage Account (Note: The "Network Interface Name" will be automatically completed, but you can customize it if needed.).
   • Ensure that the Region matches the region of the Storage Account.
   • Click Next.
7. In the 2 - Resource tab/step:
   • Select the target sub-resource based on what type of storage resource is being made available.
   • Click Next.
8. In the 3 - Virtual Network tab/step:
   • Select the Virtual network that your Storage Account will be connecting to.
   • Select the Subnet that your Storage Account will be connecting to.
   • (Optional) Select other network settings as appropriate for your environment.

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 APRA CPG 234 → 💼 36f network design — to ensure authorised network traffic flows and to reduce the impact of security compromises;		29	30		no data
💼 APRA CPG 234 → 💼 45 An understanding of plausible worst case scenarios can help regulated entities identify and implement additional controls to prevent or reduce the impact of such scenarios. One example is malware that infects computers and encrypts data, both on the infected computer and any connected storage, including (corporate) networks and cloud storage. Such attacks reinforce the importance of protecting the backup environment in the event that the production environment is compromised. Common techniques to achieve this include network segmentation, highly restricted and segregated access controls and network traffic flow restrictions.		35	37		no data
💼 CIS Azure v2.1.0 → 💼 3.10 Ensure Private Endpoints are used to access Storage Accounts - Level 1 (Automated)			1		no data
💼 CIS Azure v3.0.0 → 💼 4.9 Ensure Private Endpoints are used to access Storage Accounts (Automated)			1		no data
💼 CIS Azure v4.0.0 → 💼 10.3.2.1 Ensure Private Endpoints are used to access Storage Accounts (Automated)			1		no data
💼 Cloudaware Framework → 💼 Secure Access			57		no data
💼 FedRAMP High Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)		11	48		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)			48		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows		37	48		no data
💼 UK Cyber Essentials → 💼 1.2 Prevent access to the administrative interface from the internet		36	38		no data