Microsoft Storage Accounts best practices

Best practice rules for Storage Accounts

Trend Micro Cloud One™ – Conformity monitors Storage Accounts with the following rules:

• Allow Shared Access Signature Tokens Over HTTPS Only

  Ensure that Shared Access Signature (SAS) tokens are allowed only over the HTTPS protocol.

• Check for Overly Permissive Stored Access Policies

  Ensure that Azure Storage shared access signature (SAS) tokens are not using overly permissive access policies.

• Check for Publicly Accessible Web Containers

  Ensure that Azure Storage containers created to host static websites aren't publicly accessible.

• Check for Sufficient Soft Deleted Data Retention Period

  Ensure there is a sufficient retention period configured for Azure Blob Storage soft deleted data.

• Configure Minimum TLS Version

  Ensure that the "Minimum TLS version" setting is set to "Version 1.2" for all Azure Storage accounts.

• Disable Anonymous Access to Blob Containers

  Ensure that anonymous access to blob containers is disabled within your Azure Storage account.

• Disable public access to storage accounts with blob containers

  Ensure that public access to blob containers is disabled for your Azure storage accounts to override any ACL configurations allowing access.

• Enable Blob Storage Lifecycle Management

  Ensure that Azure Blob Storage service has a lifecycle management policy configured.

• Enable Immutable Blob Storage

  Ensure that critical Azure Blob Storage data is protected from accidental deletion or modification.

• Enable Infrastructure Encryption

  Ensure that infrastructure encryption is enabled for Microsoft Azure Storage accounts.

• Enable Logging for Azure Storage Blob Service

  Ensure that storage logging is enabled for the Azure Storage Blob service.

• Enable Logging for Azure Storage Queue Service

  Ensure that detailed storage logging is enabled for the Azure Storage Queue service.

• Enable Logging for Azure Storage Table Service

  Ensure that storage logging is enabled for the Azure Storage Table service.

• Enable Secure Transfer in Azure Storage

  Ensure that "Secure transfer required" security feature is enabled within your Azure Storage account configuration.

• Enable Soft Delete for Azure Blob Storage

  Ensure that Soft Delete feature is enabled for your Microsoft Azure Storage blob objects.

• Enable Trusted Microsoft Services for Storage Account Access

  Allow Trusted Microsoft Services to access your Azure Storage account resources.

• Expire Shared Access Signature Tokens

  Ensure that your Shared Access Signature (SAS) tokens expire within an hour.

• Limit Storage Account Access by IP Address

  Ensure that Azure Storage account access is limited only to specific IP address(es).

• Private Endpoint in Use

  Ensure that private endpoints are used to access Microsoft Azure Storage accounts.

• Regenerate Storage Account Access Keys Periodically

  Regenerate storage account access keys periodically to help keep your storage account secure.

• Restrict Default Network Access for Storage Accounts

  Ensure that the default network access rule is set to "Deny" within your Azure Storage account.

• Review Storage Accounts with Static Website Configuration

  Ensure that Azure Storage Accounts with static website configuration are regularly reviewed (informational).

• Storage Account Encryption using Customer Managed Keys

  Use Customer Managed Keys (CMKs) to encrypt data within Azure Storage accounts.

• Use BYOK for Storage Account Encryption

  Use customer-managed keys (CMKs) for Microsoft Azure Storage accounts encryption.