Skip to main content

๐Ÿ’ผ 4 Storage Accounts

  • Contextual name: ๐Ÿ’ผ 4 Storage Accounts
  • ID: /frameworks/cis-azure-v3.0.0/04
  • Located in: ๐Ÿ’ผ CIS Azure v3.0.0

Descriptionโ€‹

This section covers security recommendations to follow to set storage account policies on an Azure Subscription. An Azure storage account provides a unique namespace to store and access Azure Storage data objects.

Similarโ€‹

Sub Sectionsโ€‹

SectionSub SectionsInternal RulesPoliciesFlags
๐Ÿ’ผ 4.1 Ensure that 'Secure transfer required' is set to 'Enabled' (Automated)1
๐Ÿ’ผ 4.2 Ensure that 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage is Set to 'enabled' (Automated)1
๐Ÿ’ผ 4.3 Ensure that 'Enable key rotation reminders' is enabled for each Storage Account (Manual)1
๐Ÿ’ผ 4.4 Ensure that Storage Account Access Keys are Periodically Regenerated (Manual)1
๐Ÿ’ผ 4.5 Ensure that Shared Access Signature Tokens Expire Within an Hour (Manual)1
๐Ÿ’ผ 4.6 Ensure that 'Public Network Access' is 'Disabled' for storage accounts (Automated)1
๐Ÿ’ผ 4.7 Ensure Default Network Access Rule for Storage Accounts is Set to Deny (Automated)1
๐Ÿ’ผ 4.8 Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access (Automated)1
๐Ÿ’ผ 4.9 Ensure Private Endpoints are used to access Storage Accounts (Automated)1
๐Ÿ’ผ 4.10 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage (Automated)1
๐Ÿ’ผ 4.11 Ensure Storage for Critical Data are Encrypted with Customer Managed Keys (CMK) (Manual)1
๐Ÿ’ผ 4.12 Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests (Automated)1
๐Ÿ’ผ 4.13 Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests (Automated)1
๐Ÿ’ผ 4.14 Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests (Automated)1
๐Ÿ’ผ 4.15 Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2' (Automated)1
๐Ÿ’ผ 4.16 Ensure 'Cross Tenant Replication' is not enabled (Automated)1
๐Ÿ’ผ 4.17 Ensure that 'Allow Blob Anonymous Access' is set to 'Disabled' (Automated)1