Best practice rules for Storage Accounts
Trend Micro Cloud One™ – Conformity monitors Storage Accounts with the following rules:
- Allow Shared Access Signature Tokens Over HTTPS Only
Ensure that Shared Access Signature (SAS) tokens are allowed only over the HTTPS protocol.
- Check for Overly Permissive Stored Access Policies
Ensure that Azure Storage shared access signature (SAS) tokens are not using overly permissive access policies.
- Check for Publicly Accessible Web Containers
Ensure that Azure Storage containers created to host static websites aren't publicly accessible.
- Check for Sufficient Soft Deleted Data Retention Period
Ensure there is a sufficient retention period configured for Azure Blob Storage soft deleted data.
- Configure Minimum TLS Version
Ensure that the "Minimum TLS version" setting is set to "Version 1.2" for all Azure Storage accounts.
- Disable Anonymous Access to Blob Containers
Ensure that anonymous access to blob containers is disabled within your Azure Storage account.
- Disable Cross-Tenant Object Replication
Ensure that cross-tenant object replication is disabled for your Azure Storage accounts.
- Disable public access to storage accounts with blob containers
Ensure that public access to blob containers is disabled for your Azure storage accounts to override any ACL configurations allowing access.
- Enable Blob Storage Lifecycle Management
Ensure that Azure Blob Storage service has a lifecycle management policy configured.
- Enable Immutable Blob Storage
Ensure that critical Azure Blob Storage data is protected from accidental deletion or modification.
- Enable Infrastructure Encryption
Ensure that infrastructure encryption is enabled for Microsoft Azure Storage accounts.
- Enable Logging for Azure Storage Blob Service
Ensure that storage logging is enabled for the Azure Storage Blob service.
- Enable Logging for Azure Storage Queue Service
Ensure that detailed storage logging is enabled for the Azure Storage Queue service.
- Enable Logging for Azure Storage Table Service
Ensure that storage logging is enabled for the Azure Storage Table service.
- Enable Secure Transfer in Azure Storage
Ensure that "Secure transfer required" security feature is enabled within your Azure Storage account configuration.
- Enable Soft Delete for Azure Blob Storage
Ensure that Soft Delete feature is enabled for your Microsoft Azure Storage blob objects.
- Enable Trusted Microsoft Services for Storage Account Access
Allow Trusted Microsoft Services to access your Azure Storage account resources.
- Expire Shared Access Signature Tokens
Ensure that your Shared Access Signature (SAS) tokens expire within an hour.
- Limit Storage Account Access by IP Address
Ensure that Azure Storage account access is limited only to specific IP address(es).
- Private Endpoint in Use
Ensure that private endpoints are used to access Microsoft Azure Storage accounts.
- Regenerate Storage Account Access Keys Periodically
Regenerate storage account access keys periodically to help keep your storage account secure.
- Restrict Default Network Access for Storage Accounts
Ensure that the default network access rule is set to "Deny" within your Azure Storage account.
- Review Storage Accounts with Static Website Configuration
Ensure that Azure Storage Accounts with static website configuration are regularly reviewed (informational).
- Storage Account Encryption using Customer Managed Keys
Use Customer Managed Keys (CMKs) to encrypt data within Azure Storage accounts.
- Use BYOK for Storage Account Encryption
Use customer-managed keys (CMKs) for Microsoft Azure Storage accounts encryption.