Best practice rules for Storage Accounts
Trend Micro Cloud One™ – Conformity monitors Storage Accounts with the following rules:
- Allow Shared Access Signature Tokens Over HTTPS Only
Ensure that Shared Access Signature (SAS) tokens are allowed only over the HTTPS protocol.
- Check for Overly Permissive Stored Access Policies
Ensure that Azure Storage shared access signature (SAS) tokens are not using overly permissive access policies.
- Check for Publicly Accessible Web Containers
Ensure that Azure Storage containers created to host static websites are not publicly accessible.
- Check for Sufficient Soft Deleted Data Retention Period
Ensure there is a sufficient retention period configured for Azure Blob Storage soft deleted data.
- Disable Anonymous Access to Blob Containers
Ensure that anonymous access to blob containers is disabled within your Azure Storage account.
- Enable Blob Storage Lifecycle Management
Ensure that Azure Blob Storage service has a lifecycle management policy configured.
- Enable Immutable Blob Storage
Ensure that critical Azure Blob Storage data is protected from accidental deletion or modification.
- Enable Logging for Azure Storage Queue Service
Ensure that detailed storage logging is enabled for the Azure Storage Queue service.
- Enable Secure Transfer in Azure Storage
Ensure that "Secure transfer required" security feature is enabled within your Azure Storage account configuration.
- Enable Soft Delete for Azure Blob Storage
Ensure that Soft Delete feature is enabled for your Microsoft Azure Storage blob objects.
- Enable Trusted Microsoft Services for Storage Account Access
Allow Trusted Microsoft Services to access your Azure Storage account resources.
- Expire Shared Access Signature Tokens
Ensure that your Shared Access Signature (SAS) tokens expire within an hour.
- Limit Storage Account Access by IP Address
Ensure that Azure Storage account access is limited only to specific IP address(es).
- Regenerate Storage Account Access Keys Periodically
Regenerate storage account access keys periodically to help keep your storage account secure.
- Restrict Default Network Access for Storage Accounts
Ensure that the default network access rule is set to "Deny" within your Azure Storage account.
- Review Storage Accounts with Static Website Configuration
Ensure that Azure Storage Accounts with static website configuration are regularly reviewed (informational).
- Use BYOK for Storage Account Encryption
Use customer-managed keys (CMKs) for Microsoft Azure Storage accounts encryption.