Framework/Configurations/SVT/Services/Storage.json

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
{
  "FeatureName": "Storage",
  "Reference": "aka.ms/azsktcp/storage",
  "IsMaintenanceMode": false,
  "Controls": [
   {
      "ControlID": "Azure_Storage_AuthN_Dont_Allow_Anonymous",
      "Description": "The Access Type for containers must not be set to 'Anonymous'",
      "Id": "AzureStorage110",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckStorageContainerPublicAccessTurnOff",
      "Rationale": "Data in containers that have anonymous access can be downloaded by anyone on the internet without authentication. This can lead to a compromise of corporate data. ",
      "Recommendation": "Run command 'Set-AzureStorageContainerAcl -Name '<ContainerName>' -Permission 'Off' -Context '<StorageContext>''. Run 'Get-Help Set-AzureStorageContainerAcl -full' for more help.",
      "Tags": [
         "SDL",
         "TCP",
         "Automated",
         "AuthN",
         "StandardSku",
         "PremiumSku",
         "GeneralPurposeStorage",
         "BlobStorage",
         "OwnerAccess",
         "ResourceLocked"
      ],
      "Enabled": true,
      "FixControl": {
         "FixMethodName": "DisableAnonymousAccessOnContainers",
         "FixControlImpact": "High"
      }
   },
    {
      "ControlID": "Azure_Storage_Audit_Issue_Alert_AuthN_Req",
      "Description": "Alert rules must be configured for tracking anonymous activity",
      "Id": "AzureStorage120",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckStorageMetricAlert",
      "Rationale": "Alert rules for anonymous authentication requests enable you to detect any suspicious and malicious activity early and respond in a timely manner.",
      "Recommendation": "Run command 'Add-AzureRmMetricAlertRule -MetricName 'AnonymousSuccess' -Operator 'GreaterThan' -Threshold '<Threshold count>' -TimeAggregationOperator 'Total' -WindowSize '<Duration window>' -Action '<New-AzureRmAlertRuleEmail -SendToServiceOwner>' -Name '<AlertName>' -ResourceGroup '<RGName>' -TargetResourceId '<TargetResourceId>' -Location '<Location>''. TargetResourceId format is '<StorageResourceId>/services/<blob/file/queue/table>'. Run 'Get-Help Add-AzureRmMetricAlertRule -full' for more help. Note: You will need to enable this for all service types within Storage (Blob, File, Table, Queue, etc.) even if you are only using one of them.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "Audit",
        "StandardSku",
        "GeneralPurposeStorage",
        "BlobStorage"
      ],
      "Enabled": false,
      "FixControl": {
        "FixMethodName": "SetupAlertsForAuthNRequest",
        "FixControlImpact": "Low"
      }
    },
    {
      "ControlID": "Azure_Storage_Audit_AuthN_Requests",
      "Description": "Storage Account must be configured to log and monitor authentication request data",
      "Id": "AzureStorage150",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckStorageEnableDiagnosticsLog",
      "Rationale": "Logging and monitoring of authentication request data can help to detect suspicious and malicious activities early and respond in a timely manner.",
      "Recommendation": "Run command 'Set-AzureStorageServiceLoggingProperty -ServiceType '<Blob/Queue/Table>' -LoggingOperations 'All' -Context '<StorageContext>' -RetentionDays '365' -PassThru'. Run 'Get-Help Set-AzureStorageServiceLoggingProperty -full' for more help. Set-AzureStorageServiceMetricsProperty -MetricsType 'Hour' -ServiceType '<Blob/Queue/Table/File>' -Context '<StorageContext>' -MetricsLevel 'ServiceAndApi' -RetentionDays '365' -PassThru. Run 'Get-Help Set-AzureStorageServiceMetricsProperty -full' for more help.",
      "Tags": [
         "SDL",
         "TCP",
         "Automated",
         "Audit",
         "OwnerAccess",
         "StandardSku",
         "GeneralPurposeStorage",
         "BlobStorage",
         "ResourceLocked"
      ],
      "Enabled": true,
      "FixControl": {
        "FixMethodName": "EnableAuditOnAuthN",
        "FixControlImpact": "Low"
      }
    },
   {
      "ControlID": "Azure_Storage_DP_Encrypt_In_Transit",
      "Description": "HTTPS protocol must be used for accessing Storage Account resources",
      "Id": "AzureStorage160",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckStorageEncryptionInTransit",
      "Rationale": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer man-in-the-middle, eavesdropping, session-hijacking attacks. When enabling HTTPS one must remember to simultaneously disable access over plain HTTP else data can still be subject to compromise over clear text connections.",
      "Recommendation": "Run command 'Set-AzureRmStorageAccount -ResourceGroupName <RGName> -name <StorageAccountName> -EnableHttpsTrafficOnly `$true'. Run 'Get-Help Set-AzureRmStorageAccount -full' for more help.",
      "Tags": [
         "SDL",
         "TCP",
         "Automated",
         "DP",
         "StandardSku",
         "PremiumSku",
        "GeneralPurposeStorage",
        "BlobStorage"
      ],
      "Enabled": true,
      "FixControl": {
         "FixMethodName": "EnableHttpsTrafficOnly",
         "FixControlImpact": "Medium"
      }
   },
    {
      "ControlID": "Azure_Storage_AuthZ_Use_IP_ACL",
      "Description": "Use IP-restrictions in SAS tokens to only permit access from intended IP addresses",
      "Id": "AzureStorage180",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Using appropriate IP-based ACLs ensures that data in storage is protected and accessible only to entities from an expected set of endpoints.",
      "Recommendation": "Restrict storage SAS tokens to specific IP addresses/ranges where possible. Refer: https://docs.microsoft.com/en-us/azure/storage/storage-dotnet-shared-access-signature-part-1.",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "AuthZ",
        "StandardSku",
        "PremiumSku",
        "GeneralPurposeStorage",
        "BlobStorage"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_Storage_AuthZ_Clients_Use_SAS",
      "Description": "End user/client apps should access Storage Account through SAS token only (and not via Storage Account Key)",
      "Id": "AzureStorage190",
      "ControlSeverity": "High",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "A shared access signature (SAS) provides you with a way to grant limited access to objects in your Storage Account to other clients, without exposing your account key. This is in accordance with the principle of least privilege access.",
      "Recommendation": "Do not use Storage Account key directly in apps. Use a SAS token to limit the access based on scope, duration, IPs, etc. Refer: https://docs.microsoft.com/en-us/azure/storage/storage-dotnet-shared-access-signature-part-1.",
      "Tags": [
        "SDL",
        "Best Practice",
        "Manual",
        "AuthZ",
        "StandardSku",
        "PremiumSku",
        "GeneralPurposeStorage",
        "BlobStorage"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_Storage_DP_Rotate_Keys",
      "Description": "Storage Account keys must be rotated periodically",
      "Id": "AzureStorage200",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Periodic key/password rotation is a good security hygiene practice as, over time, it minimizes the likelihood of data loss/compromise which can arise from key theft/brute forcing/recovery attacks.",
      "Recommendation": "Rotate Storage Account keys on a periodic basis. To generated a new key, run command 'New-AzureRmStorageAccountKey -KeyName '<key1/key2>' -Name '<StorageAccountName>' -ResourceGroupName '<RGName>'. Deploy the new key or derived SAS tokens to various clients as appropriate. Run 'Get-Help New-AzureRmStorageAccountKey -full' for more help.",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "DP",
        "StandardSku",
        "PremiumSku",
        "GeneralPurposeStorage",
        "BlobStorage"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_Storage_AuthZ_Allow_Limited_Access_to_Services",
      "Description": "Use Stored Access Policies with least privileges needed to access services in the Storage Account.",
      "Id": "AzureStorage210",
      "ControlSeverity": "High",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Granting minimum access ensures that users are granted just enough permissions to perform their tasks. This minimizes operations that can be performed on the resource in case of access policy key compromise.",
      "Recommendation": "Create a SAS token with Stored Access Policy for service access using the minimal required privileges. Refer: https://docs.microsoft.com/en-us/azure/storage/storage-dotnet-shared-access-signature-part-1#controlling-a-sas-with-a-stored-access-policy.",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "AuthZ",
        "StandardSku",
        "PremiumSku",
        "GeneralPurposeStorage",
        "BlobStorage"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_Storage_DP_Restrict_CORS_Access",
      "Description": "Ensure that CORS access is granted to a minimal set of trusted origins and only required verbs are supported.",
      "Id": "AzureStorage250",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckStorageCORSAllowed",
      "Rationale": "CORS enables applications running under one domain to access a resource under another domain. Using '*' (allow all) for CORS setting means that an application running under any domain can have access to your application's resources and data. Restricting allowed origins to the specific set that needs access aligns with the principle of least privilege.",
      "Recommendation": "Go to Azure Portal --> your Storage service --> CORS under Blob/File/Table/Queue --> Add --> Provide the specific domain names and other CORS details that should be allowed to make cross-origin calls. Note: No action is needed if you are not using CORS for your service.",
      "Tags": [
         "SDL",
         "TCP",
         "Automated",
         "DP",
         "StandardSku",
         "GeneralPurposeStorage",
         "BlobStorage",
         "OwnerAccess",
         "ResourceLocked"
      ],
      "Enabled": true
    }
 
  ]
}