Detailed checklist | Azure Storage | 100% Free!

Monitor your AZURE Storage resources for best practices.

Security

Access Keys Not Rotated
When a storage account is created, Azure generates two 512-bit storage access keys, which are used for authentication when the storage account is accessed. Rotating these keys periodically ensures that any inadvertent access or exposure does not result in these keys being compromised. The access keys storage accounts should be rotated at least every 90 days.

Secure Transfer (HTTPS) Not Enforced
The secure transfer option enhances the security of a storage account by only allowing requests to the storage account by a secure connection. For example, when calling REST APIs to access storage accounts, the connection must use HTTPS. Any requests using HTTP will be rejected when 'secure transfer required' is enabled. When using the Azure files service, connection without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client.<br><br>Because Azure storage doesn’t support HTTPS for custom domain names, this option is not applied when using a custom domain name.

Blob Containers Allowing Public Access
Anonymous, public read access to a container and its blobs can be enabled in Azure Blob storage. It grants read-only access to these resources without sharing the account key, and without requiring a shared access signature. It is recommended not to provide anonymous access to blob containers until, and unless, it is strongly desired. A shared access signature token should be used for providing controlled and timed access to blob containers.

Storage Accounts Allowing Public Traffic
Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed.

Trusted Microsoft Services Enabled
Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. If the <samp>Allow trusted Microsoft services</samp> exception is enabled the following services are granted access to the storage account:<br> <ul> <li>Azure Backup</li> <li>Azure Site Recovery</li> <li>Azure DevTest Labs</li> <li>Azure Event Grid</li> <li>Azure Event Hubs</li> <li>Azure Networking</li> <li>Azure Monitor</li> <li>Azure SQL Data Warehouse (when registered in the subscription)</li> </ul>.

Sources

https://www.cloudanix.com/recipelist/azure/azurestorageaudit

https://docs.microsoft.com/en-us/azure/storage/common/storage-create-storage-account

https://docs.microsoft.com/en-us/azure/storage/common/storage-security-guide

https://docs.microsoft.com/en-us/azure/storage/common/storage-require-secure-transfer

https://docs.microsoft.com/en-us/azure/storage/blobs/storage-manage-access-to-resources

https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security

https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security

Help Us Improve!

If you have any suggestions to improve this checklist, please let us know by filling out this form.