Control: Azure > CIS v4.0 > 10 - Storage Services > 10.03 - Storage Accounts > 10.03.01 - Secrets and Keys > 10.03.01.03 - Ensure 'Allow storage account key access' for Azure Storage Accounts is 'Disabled'

Configures auditing against a CIS Benchmark item.

Level: 1

Every secure request to an Azure Storage account must be authorized. By default, requests can be authorized with either Microsoft Entra credentials or by using the account access key for Shared Key authorization.

Microsoft Entra ID provides superior security and ease of use compared to Shared Key and is recommended by Microsoft. To require clients to use Microsoft Entra ID for authorizing requests, you can disallow requests to the storage account that are authorized with Shared Key.

Resource Types

This control targets the following resource types:

Azure > Storage > Storage Account

Policies

This control type relies on these other policies when running actions:

In Your Workspace

Developers

Control Type URI

tmod:@turbot/azure-cisv4-0#/control/types/r10030103

Category URI

tmod:@turbot/cis#/control/categories/v071607

GraphQL

query controlType(id: "tmod:@turbot/azure-cisv4-0#/control/types/r10030103") { … }

query controls(filter: "controlTypeId:'tmod:@turbot/azure-cisv4-0#/control/types/r10030103'") { … }

CLI

Get Controls

turbot graphql controls --filter "controlTypeId:tmod:@turbot/azure-cisv4-0#/control/types/r10030103"