Skip to main content

๐Ÿ’ผ 10.3 Storage Accounts

  • Contextual name: ๐Ÿ’ผ 10.3 Storage Accounts
  • ID: /frameworks/cis-azure-v4.0.0/10/03
  • Located in: ๐Ÿ’ผ 10 Storage Services

Descriptionโ€‹

This section covers security best practice recommendations for Storage Accounts in Azure. The recommendations in this section apply to the Storage Account, but not to the Storage Services which may be running on that account. Use the Storage Account recommendations as a starting place for securing the account, then proceed to apply the recommendations from the storage services section(s) that are relevant to the storage services running on your account. Storage Accounts are a family of account types that support different Storage Services. The Storage Account types and their supported services follow: โ€ข Standard general-purpose v2 supported services: Blob Storage (including Data Lake Storage), Queue Storage, Table Storage, and Azure Files. โ€ข Premium block blobs supported services: Blob Storage (including Data Lake Storage) โ€ข Premium file shares supported services: Azure Files โ€ข Premium page blobs supported services: Page blobs only

Similarโ€‹

Sub Sectionsโ€‹

SectionSub SectionsInternal RulesPoliciesFlags
๐Ÿ’ผ 10.3.1 Secrets and Keys3
ย ย ย ย ๐Ÿ’ผ 10.3.1.1 Ensure that 'Enable key rotation reminders' is enabled for each Storage Account (Manual)1
ย ย ย ย ๐Ÿ’ผ 10.3.1.2 Ensure that Storage Account access keys are periodically regenerated (Manual)1
ย ย ย ย ๐Ÿ’ผ 10.3.1.3 Ensure 'Allow storage account key access' for Azure Storage Accounts is 'Disabled' (Automated)1
๐Ÿ’ผ 10.3.2 Networking3
ย ย ย ย ๐Ÿ’ผ 10.3.2.1 Ensure Private Endpoints are used to access Storage Accounts (Automated)1
ย ย ย ย ๐Ÿ’ผ 10.3.2.2 Ensure that 'Public Network Access' is 'Disabled' for storage accounts (Automated)1
ย ย ย ย ๐Ÿ’ผ 10.3.2.3 Ensure default network access rule for storage accounts is set to deny (Automated)1
๐Ÿ’ผ 10.3.3 Identity and Access Management1
ย ย ย ย ๐Ÿ’ผ 10.3.3.1 Ensure that 'Default to Microsoft Entra authorization in the Azure portal' is set to 'Enabled' (Automated)1
๐Ÿ’ผ 10.3.4 Ensure that 'Secure transfer required' is set to 'Enabled' (Automated)1
๐Ÿ’ผ 10.3.5 Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access (Automated)1
๐Ÿ’ผ 10.3.6 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage (Automated)1
๐Ÿ’ผ 10.3.7 Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2' (Automated)1
๐Ÿ’ผ 10.3.8 Ensure 'Cross Tenant Replication' is not enabled (Automated)1
๐Ÿ’ผ 10.3.9 Ensure that 'Allow Blob Anonymous Access' is set to 'Disabled' (Automated)1
๐Ÿ’ผ 10.3.10 Ensure Azure Resource Manager Delete locks are applied to Azure Storage Accounts (Manual)1
๐Ÿ’ผ 10.3.11 Ensure Azure Resource Manager ReadOnly locks are considered for Azure Storage Accounts (Manual)1
๐Ÿ’ผ 10.3.12 Ensure Redundancy is set to 'geo-redundant storage (GRS)' on critical Azure Storage Accounts (Automated)1