Links

Microsoft Storage

Best practices and references below are based on published guidance from the cloud service provider and may reference native capabilities the cloud service provider offers. If you are not using the native security capabilities, the same security requirement can be met using other security capabilities your organization utilizes

Asset Inventory

Design Guidance:

Microsoft.Storage/storageAccounts

Tags
Terraform
Tags-Additional Properties
Terraform

Identification and Authentication

Design Guidance:

Microsoft.Storage/storageAccounts

Identity-Type
Terraform

Transparent Data Encryption

Design Guidance:

Microsoft.Storage/storageAccounts

Blob-Enabled
Terraform
Blob-Key Type
Terraform

Protect Cryptographic Keys

Design Guidance:

Microsoft.Storage/storageAccounts

Encryption-Key Source
Terraform
Encryption-Keyvaultproperties
Terraform
Keyvaultproperties-Keyname
Terraform
Keyvaultproperties-Keyversion
Terraform
Keyvaultproperties-Keyvaulturi
Terraform

Firewalls

Design Guidance:

Microsoft.Storage/storageAccounts

Network Acls-Bypass
Terraform
Virtual Network Rules-Id
Terraform
Virtual Network Rules-Action
Terraform
Virtual Network Rules-State
Terraform

IP Whitelisting

Microsoft.Storage/storageAccounts

Network Acls-Ip Rules
Terraform
Ip Rules-Value
Terraform
Ip Rules-Action
Terraform
Network Acls-Default Action
Terraform

Design for High Availability

Design Guidance:

Microsoft.Storage/storageAccounts

Access Tier
Terraform

TLS

Design Guidance:

Microsoft.Storage/storageAccounts

Supports HTTPS Traffic Only
Terraform

Information Flow Routing

Microsoft.Storage/storageAccounts

Routing Preference-Routing Choice
Terraform
Routing Preference-Publish Microsoft Endpoints
Terraform
Routing Preference-Publish Internet Endpoints
Terraform

Secure Response Headers

Microsoft.Storage/storageAccounts/blobServices

Cors
Cors Rules-Allowed Methods

Microsoft.Storage/storageAccounts/fileServices

Cors Rules-Allowed Methods

CORS Headers

Microsoft.Storage/storageAccounts/blobServices

Cors-Cors Rules
Cors Rules-Allowed Origins
Cors Rules-Max Age In Seconds
Cors Rules-Exposed Headers
Cors Rules-Allowed Headers

Microsoft.Storage/storageAccounts/fileServices

Cors
Cors-Cors Rules
Cors Rules-Allowed Origins
Cors Rules-Max Age In Seconds
Cors Rules-Exposed Headers
Cors Rules-Allowed Headers

Data Retention

Microsoft.Storage/storageAccounts/blobServices

Delete Retention Policy-Enabled
Delete Retention Policy-Days

Backups

Design Guidance:

Microsoft.Storage/storageAccounts/blobServices

Automatic Snapshot Policy Enabled

Access Policy Enforcement

Microsoft.Storage/storageAccounts/blobServices/containers

Public Access

Use Enterprise Accounts and Disable Local Accounts

Microsoft.Storage/storageAccounts

Azure Files Identity Based Authentication-Active Directory Properties
Terraform
Active Directory Properties-Domain Name
Terraform
Active Directory Properties-Net Bios Domain Name
Terraform
Active Directory Properties-Forest Name
Terraform
Active Directory Properties-Domain Guid
Terraform
Active Directory Properties-Domain Sid
Terraform
Active Directory Properties-Azure Storage Sid
Terraform

Subnet Isolation

Design Guidance:

Microsoft.Storage/storageAccounts/privateEndpointConnections

Name
Private Link Service Connection State-Status
Private Link Service Connection State-Description
Private Link Service Connection State-Action Required

Microsoft.Storage/storageAccounts/privateEndpointConnections

Provisioning State