-
Notifications
You must be signed in to change notification settings - Fork 329
/
Copy pathazure_storage_checklist.en.json
570 lines (570 loc) · 30.4 KB
/
azure_storage_checklist.en.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
{
"items": [
{
"category": "Security",
"subcategory": " Overview",
"text": "Consider the 'Azure security baseline for storage'",
"description": "Apply guidance from the Microsoft cloud security benchmark related to Storage",
"waf": "Security",
"service": "Storage",
"guid": "d237de14-3b16-4c21-b7aa-9b64604489a8",
"id": "A01.01",
"severity": "Medium",
"link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline"
},
{
"category": "Security",
"subcategory": "Networking",
"text": "Consider using private endpoints for Azure Storage",
"description": "Azure Storage by default has a public IP address and is Internet-reachable. Private endpoints allow to securely expose Azure Storage only to those Azure Compute resources that need access, thus eliminating exposure to the public Internet",
"waf": "Security",
"service": "Storage",
"guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b",
"id": "A02.01",
"severity": "High",
"graph": "resources | where type =~ 'Microsoft.Storage/StorageAccounts' | where isnull(properties.privateEndpointConnections) or properties.privateEndpointConnections[0].properties.provisioningState != ('Succeeded') or (isnull(properties.networkAcls) and properties.publicNetworkAccess == 'Enabled') | extend compliant = (isnotnull(properties.privateEndpointConnections) and properties.privateEndpointConnections[0].properties.provisioningState == 'Succeeded' and properties.publicNetworkAccess == 'Disabled') | distinct id, compliant",
"link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints"
},
{
"category": "Security",
"subcategory": "Governance",
"text": "Ensure older storage accounts are not using 'classic deployment model'",
"description": "Newly created storage accounts are created using the ARM deployment model, so that RBAC, auditing etc. are all enabled. Ensure that there are no old storage accounts with classic deployment model in a subscription",
"waf": "Security",
"service": "Storage",
"guid": "30e37c3e-2971-41b2-963c-eee079b598de",
"id": "A03.01",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts"
},
{
"category": "Security",
"subcategory": "Governance",
"text": "Enable Microsoft Defender for all of your storage accounts",
"description": "Leverage Microsoft Defender to learn about suspicious activity and misconfigurations.",
"waf": "Security",
"service": "Storage",
"guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d",
"id": "A03.02",
"severity": "High",
"graph": "resources | where type =~ 'Microsoft.Storage/StorageAccounts' | project storageAccountId = id | join kind=leftouter (resourceContainers | where type == 'microsoft.security/pricings' | where name == 'StorageAccounts' | project resourceId = id, pricingTier = properties.pricingTier) on $left.storageAccountId == $right.resourceId | where isnull(pricingTier) or pricingTier != 'Standard' | extend compliant = false | distinct storageAccountId, compliant",
"link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure"
},
{
"category": "Security",
"subcategory": "Data Availability",
"text": "Enable 'soft delete' for blobs",
"description": "The soft-delete mechanism allows to recover accidentally deleted blobs.",
"waf": "Security",
"service": "Storage",
"guid": "503547c1-447e-4c66-828a-7100f1ce16dd",
"id": "A04.01",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview"
},
{
"category": "Security",
"subcategory": "Confidentiality",
"text": "Disable 'soft delete' for blobs",
"description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ",
"waf": "Security",
"service": "Storage",
"guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e",
"id": "A05.01",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable"
},
{
"category": "Security",
"subcategory": "Data Availability",
"text": "Enable 'soft delete' for containers",
"description": "Soft delete for containers enables you to recover a container after it has been deleted, for example recover from an accidental delete operation.",
"waf": "Security",
"service": "Storage",
"guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a",
"id": "A06.01",
"severity": "High",
"link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview"
},
{
"category": "Security",
"subcategory": "Confidentiality",
"text": "Disable 'soft delete' for containers",
"description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ",
"waf": "Security",
"service": "Storage",
"guid": "3e3453a3-c863-4964-ab65-2d6c15f51296",
"id": "A07.01",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable"
},
{
"category": "Security",
"subcategory": "Data Availability",
"text": "Enable resource locks on storage accounts",
"description": "Prevents accidental deletion of a storage account, by forcing the user to first remove the deletion lock, prior to deletion",
"waf": "Security",
"service": "Storage",
"guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64",
"id": "A08.01",
"severity": "High",
"link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource"
},
{
"category": "Security",
"subcategory": "Data Availability, Compliance",
"text": "Consider immutable blobs",
"description": "Consider 'legal hold' or 'time-based retention' policies for blobs, so that is is impossible to delete the blob, the container, or the storage account. Please note that 'impossible' actually means 'impossible'; once a storage account contains an immutable blob, the only way to 'get rid' of that storage account is by cancelling the Azure subscription.",
"waf": "Security",
"service": "Storage",
"guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956",
"id": "A09.01",
"severity": "High",
"link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview"
},
{
"category": "Security",
"subcategory": "Networking",
"text": "Require HTTPS, i.e. disable port 80 on the storage account",
"description": "Consider disabling unprotected HTTP/80 access to the storage account, so that all data transfers are encrypted, integrity protected, and the server is authenticated. ",
"waf": "Security",
"service": "Storage",
"guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0",
"id": "A10.01",
"severity": "High",
"graph": "resources | where type =~ 'Microsoft.Storage/StorageAccounts' | extend compliant = (properties.supportsHttpsTrafficOnly == false) | distinct id, compliant",
"link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer"
},
{
"category": "Security",
"subcategory": "Networking",
"text": "When enforcing HTTPS (disabling HTTP), check that you do not use custom domains (CNAME) for the storage account.",
"description": "When configuring a custom domain (hostname) on a storage account, check whether you need TLS/HTTPS; if so, you might have to put Azure CDN in front of your storage account.",
"waf": "Security",
"service": "Storage",
"guid": "79b588de-fc49-472c-b3cd-21bf77036e5e",
"id": "A10.02",
"severity": "High",
"link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name"
},
{
"category": "Security",
"subcategory": "Networking",
"text": "Limit shared access signature (SAS) tokens to HTTPS connections only",
"description": "Requiring HTTPS when a client uses a SAS token to access blob data helps to minimize the risk of credential loss.",
"waf": "Security",
"service": "Storage",
"guid": "6b4bed3d-5035-447c-8347-dc56028a71ff",
"id": "A10.03",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview"
},
{
"category": "Security",
"subcategory": "Networking",
"text": "Enforce the latest TLS version for a storage account",
"description": ". Enforcing the latest TLS version will reject request from clients using the older version. ",
"waf": "Security",
"service": "Storage",
"guid": "e12be569-a18f-4562-8d5d-ce151b9e7d55",
"id": "A10.4",
"severity": "High",
"graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend compliant = (isnull(properties.minimumTlsVersion) == false and properties.minimumTlsVersion in ('TLS1_2', 'TLS1_3')) | distinct id, compliant",
"link": "https://learn.microsoft.com/azure/storage/common/transport-layer-security-configure-minimum-version"
},
{
"category": "Security",
"subcategory": "Identity and Access Management",
"text": "Use Microsoft Entra ID tokens for blob access",
"description": "Microsoft Entra ID tokens should be favored over shared access signatures, wherever possible",
"waf": "Security",
"service": "Storage",
"guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4",
"id": "A11.01",
"severity": "High",
"link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access"
},
{
"category": "Security",
"subcategory": "Identity and Access Management",
"text": "Least privilege in IaM permissions",
"description": "When assigning a role to a user, group, or application, grant that security principal only those permissions that are necessary for them to perform their tasks. Limiting access to resources helps prevent both unintentional and malicious misuse of your data.",
"waf": "Security",
"service": "Storage",
"guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6",
"id": "A11.02",
"severity": "Medium"
},
{
"category": "Security",
"subcategory": "Identity and Access Management",
"text": "When using SAS, prefer 'user delegation SAS' over storage-account-key based SAS.",
"description": "A user delegation SAS is secured with Azure Active Directory (Azure AD) credentials and also by the permissions specified for the SAS. A user delegation SAS is analogous to a service SAS in terms of its scope and function, but offers security benefits over the service SAS. ",
"waf": "Security",
"service": "Storage",
"guid": "55461e1a-3e34-453a-9c86-39648b652d6c",
"id": "A11.03",
"severity": "High",
"link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas"
},
{
"category": "Security",
"subcategory": "Identity and Access Management",
"text": "Consider disabling storage account keys, so that only Microsoft Entra ID access (and user delegation SAS) is supported.",
"description": "Storage account keys ('shared keys') have very little audit capabilities. While it can be monitored on who/when fetched a copy of the keys, once the keys are in the hands of multiple people, it is impossible to attribute usage to a specific user. Solely relying on Entra ID authentication makes it easier to tie storage access to a user. ",
"waf": "Security",
"service": "Storage",
"guid": "15f51296-5398-4e6d-bd22-7dd142b06c21",
"id": "A11.04",
"severity": "High",
"graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend allowSharedKeyAccess = tostring(properties.allowSharedKeyAccess) | extend compliant = (isnotempty(allowSharedKeyAccess) and allowSharedKeyAccess == 'false') | distinct id, compliant",
"link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key"
},
{
"category": "Security",
"subcategory": "Monitoring",
"text": "Consider using Azure Monitor to audit control plane operations on the storage account",
"description": "Use Activity Log data to identify 'when', 'who', 'what' and 'how' the security of your storage account is being viewed or changed (i.e. storage account keys, access policies, etc.).",
"waf": "Security",
"service": "Storage",
"guid": "d7999a64-6f43-489a-af42-c78e78c06a73",
"id": "A12.01",
"severity": "High",
"link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity"
},
{
"category": "Security",
"subcategory": "Identity and Access Management",
"text": "When using storage account keys, consider enabling a 'key expiration policy'",
"description": "A key expiration policy enables you to set a reminder for the rotation of the account access keys. The reminder is displayed if the specified interval has elapsed and the keys have not yet been rotated.",
"waf": "Security",
"service": "Storage",
"guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1",
"id": "A13.01",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy"
},
{
"category": "Security",
"subcategory": "Identity and Access Management",
"text": "Consider configuring an SAS expiration policy",
"description": "A SAS expiration policy specifies a recommended interval over which the SAS is valid. SAS expiration policies apply to a service SAS or an account SAS. When a user generates service SAS or an account SAS with a validity interval that is larger than the recommended interval, they'll see a warning.",
"waf": "Security",
"service": "Storage",
"guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf",
"id": "A13.02",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy"
},
{
"category": "Security",
"subcategory": "Identity and Access Management",
"text": "Consider linking SAS to a stored access policy",
"description": "Stored access policies give you the option to revoke permissions for a service SAS without having to regenerate the storage account keys. ",
"waf": "Security",
"service": "Storage",
"guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
"id": "A13.03",
"severity": "Medium",
"link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy"
},
{
"category": "Security",
"subcategory": "CI/CD",
"text": "Consider configuring your application's source code repository to detect checked-in connection strings and storage account keys.",
"waf": "Security",
"service": "Storage",
"guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
"id": "A14.01",
"severity": "Medium",
"link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/"
},
{
"category": "Security",
"subcategory": "Identity and Access Management",
"text": "Consider storing connection strings in Azure KeyVault (in scenarios where managed identities are not possible)",
"description": "Ideally, your application should be using a managed identity to authenticate to Azure Storage. If that is not possible, consider having the storage credential (connection string, storage account key, SAS, service principal credential) in Azure KeyVault or an equivalent service.",
"waf": "Security",
"service": "Storage",
"guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
"id": "A15.01",
"severity": "High",
"link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys"
},
{
"category": "Security",
"subcategory": "Identity and Access Management",
"text": "Strive for short validity periods for ad-hoc SAS",
"description": "Use near-term expiration times on an ad hoc SAS service SAS or account SAS. In this way, even if a SAS is compromised, it's valid only for a short time. This practice is especially important if you cannot reference a stored access policy. Near-term expiration times also limit the amount of data that can be written to a blob by limiting the time available to upload to it.",
"waf": "Security",
"service": "Storage",
"guid": "27138b82-1102-4cac-9eae-01e6e842e52f",
"id": "A15.02",
"severity": "High",
"link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature"
},
{
"category": "Security",
"subcategory": "Identity and Access Management",
"text": "Apply a narrow scope to a SAS",
"description": "When creating a SAS, be as specific and restrictive as possible. Prefer a SAS for a single resource and operation over a SAS which gives much broader access.",
"waf": "Security",
"service": "Storage",
"guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c",
"id": "A15.03",
"severity": "Medium",
"link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature"
},
{
"category": "Security",
"subcategory": "Identity and Access Management",
"text": "Consider scoping SAS to a specific client IP address, wherever possible",
"description": "A SAS can include parameters on which client IP addresses or address ranges are authorized to request a resource using the SAS. ",
"waf": "Security",
"service": "Storage",
"guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a",
"id": "A15.04",
"severity": "Medium",
"link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas"
},
{
"category": "Security",
"subcategory": "Identity and Access Management",
"text": "Consider checking uploaded data, after clients used a SAS to upload a file. ",
"description": "A SAS cannot constrain how much data a client uploads; given the pricing model of amount of storage over time, it might make sense to validate whether clients uploaded maliciously large contents.",
"waf": "Security",
"service": "Storage",
"guid": "348b263e-6dd6-4051-8a36-498f6dbad38e",
"id": "A15.05",
"severity": "Low"
},
{
"category": "Security",
"subcategory": "Identity and Access Management",
"text": "SFTP: Limit the amount of 'local users' for SFTP access, and audit whether access is needed over time.",
"description": "When accessing blob storage via SFTP using a 'local user account', the 'usual' RBAC controls do not apply. Blob access via NFS or REST might be more restrictive than SFTP access. Unfortunately, as of early 2023, local users are the only form of identity management that is currently supported for the SFTP endpoint",
"waf": "Security",
"service": "Storage",
"guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8",
"id": "A15.06",
"severity": "High",
"link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model"
},
{
"category": "Security",
"subcategory": "Identity and Access Management",
"text": "SFTP: The SFTP endpoint does not support POSIX-like ACLs.",
"waf": "Security",
"service": "Storage",
"guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38",
"id": "A15.07",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization"
},
{
"category": "Security",
"subcategory": "Networking",
"text": "Avoid overly broad CORS policies",
"description": "Storage supports CORS (Cross-Origin Resource Sharing), i.e. an HTTP feature that enables web apps from a different domain to loosen the same-origin policy. When enabling CORS, keep the CorsRules to the least privilege.",
"waf": "Security",
"service": "Storage",
"guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3",
"id": "A16.01",
"severity": "High",
"link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services"
},
{
"category": "Security",
"subcategory": "Confidentiality and Encryption",
"text": "Determine how data at rest should be encrypted. Understand the thread model for data.",
"description": "Data at rest is always encrypted server-side, and in addition might be encrypted client-side as well. Server-side encryption might happen using a platform-managed key (default) or customer-managed key. Client-side encryption might happen by either having the client supply an encryption/decryption key on a per-blob basis to Azure storage, or by completely handling encryption on the client-side. thus not relying on Azure Storage at all for confidentiality guarantees.",
"waf": "Security",
"service": "Storage",
"guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464",
"id": "A17.01",
"severity": "High",
"link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption"
},
{
"category": "Security",
"subcategory": "Confidentiality and Encryption",
"text": "Determine which/if platform encryption should be used.",
"waf": "Security",
"service": "Storage",
"guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6",
"id": "A17.02",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json"
},
{
"category": "Security",
"subcategory": "Confidentiality and Encryption",
"text": "Determine which/if client-side encryption should be used.",
"waf": "Security",
"service": "Storage",
"guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29",
"id": "A17.03",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys"
},
{
"category": "Security",
"subcategory": "Identity and Access Management",
"text": "Consider whether public blob anonymous access is needed, or whether it can be disabled for certain storage accounts. ",
"description": "Anonymous access may present a security risk. We recommend that you disable anonymous access for optimal security. Disallowing anonymous access helps to prevent data breaches caused by undesired anonymous access.",
"waf": "Security",
"service": "Storage",
"guid": "659ae558-b937-4d49-a5e1-112dbd7ba012",
"id": "A18.01",
"severity": "High",
"graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend compliant = (properties.allowBlobPublicAccess == 'false') | distinct id, compliant",
"link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account"
},
{
"category": "Operations Management",
"subcategory": "Platform Version",
"text": "Leverage a storagev2 account type for better performance and reliability",
"waf": "Reliability",
"service": "Storage",
"guid": "cb8eb8c0-aa62-4a25-a495-6eaa8dc4a243",
"id": "B01.01",
"severity": "High",
"link": "https://learn.microsoft.com/azure/storage/common/storage-account-upgrade?tabs=azure-portal"
},
{
"category": "BC and DR",
"subcategory": "Availablity",
"text": "Leverage GRS, ZRS or GZRS storage for the highest availability",
"waf": "Reliability",
"service": "Storage",
"guid": "e05bbe20-9d49-4fda-9777-8424d116785c",
"id": "C01.01",
"severity": "High",
"graph": "resources | where type =~ 'Microsoft.Storage/StorageAccounts' | extend compliant = (sku.name != 'Standard_LRS' and sku.name != 'Premium_LRS') | distinct id, compliant",
"link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy"
},
{
"category": "BC and DR",
"subcategory": "Failover",
"text": "For write operation after failover, use customer-Managed Failover ",
"waf": "Reliability",
"service": "Storage",
"guid": "2fa56c56-ad48-4408-be72-734c486ba280",
"id": "C01.02",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance"
},
{
"category": "Operations Management",
"subcategory": "Failover",
"text": "Understand Microsoft-Managed Failover details",
"waf": "Reliability",
"service": "Storage",
"guid": "dc0590cf-65de-48e1-909c-cbd579266bcc",
"id": "C01.03",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance#microsoft-managed-failover"
},
{
"category": "Operations Management",
"subcategory": "Data Protection",
"text": "Enable Soft Delete",
"waf": "Reliability",
"service": "Storage",
"guid": "a274faa1-abfe-49d5-9d04-c3c4919cb1b3",
"id": "C01.04",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable?tabs=azure-portal"
}
],
"categories": [
{
"name": "Identity and Access Management"
},
{
"name": "Network Topology and Connectivity"
},
{
"name": "BC and DR"
},
{
"name": "Governance and Security"
},
{
"name": "Cost Governance"
},
{
"name": "Operations Management"
},
{
"name": "Application Deployment"
},
{
"name": "Security"
}
],
"waf": [
{
"name": "Reliability"
},
{
"name": "Security"
},
{
"name": "Cost"
},
{
"name": "Operations"
},
{
"name": "Performance"
}
],
"yesno": [
{
"name": "Yes"
},
{
"name": "No"
}
],
"status": [
{
"name": "Not verified",
"description": "This check has not been looked at yet"
},
{
"name": "Open",
"description": "There is an action item associated to this check"
},
{
"name": "Fulfilled",
"description": "This check has been verified, and there are no further action items associated to it"
},
{
"name": "Not required",
"description": "Recommendation understood, but not needed by current requirements"
},
{
"name": "N/A",
"description": "Not applicable for current design"
}
],
"severities": [
{
"name": "High"
},
{
"name": "Medium"
},
{
"name": "Low"
}
],
"metadata": {
"name": "Azure Storage Review Checklist",
"state": "Preview",
"waf": "all",
"timestamp": "August 12, 2024"
}
}