Policy: Azure > CIS v5.0 > 9 - Storage Services

This section covers security best practice recommendations for products in the Azure Storage services category.

This includes Azure Blob Storage, Azure Files, and Azure Storage Account configuration.

Primary Policy

This policy is used with the following primary policy:

Azure > CIS v5.0

Controls

Setting this policy configures these controls:

Azure > CIS v5.0 > 9 - Storage Services > 9.01 - Azure Files > 9.01.01 - Ensure soft delete for Azure File Shares is Enabled
Azure > CIS v5.0 > 9 - Storage Services > 9.01 - Azure Files > 9.01.02 - Ensure 'SMB protocol version' is set to 'SMB 3.1.1' or higher for SMB file shares
Azure > CIS v5.0 > 9 - Storage Services > 9.01 - Azure Files > 9.01.03 - Ensure 'SMB channel encryption' is set to 'AES-256-GCM' or higher for SMB file shares
Azure > CIS v5.0 > 9 - Storage Services > 9.02 - Azure Blob Storage > 9.02.01 - Ensure that soft delete for blobs on Azure Blob Storage storage accounts is Enabled
Azure > CIS v5.0 > 9 - Storage Services > 9.02 - Azure Blob Storage > 9.02.02 - Ensure that soft delete for containers on Azure Blob Storage storage accounts is Enabled
Azure > CIS v5.0 > 9 - Storage Services > 9.02 - Azure Blob Storage > 9.02.03 - Ensure 'Versioning' is set to 'Enabled' on Azure Blob Storage storage accounts
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.01 - Secrets and Keys > 9.03.01.01 - Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.01 - Secrets and Keys > 9.03.01.02 - Ensure that Storage Account Access Keys are Periodically Regenerated
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.01 - Secrets and Keys > 9.03.01.03 - Ensure 'Allow storage account key access' for Azure Storage Accounts is 'Disabled'
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.02 - Networking > 9.03.02.01 - Ensure Private Endpoints are used to access Storage Accounts
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.02 - Networking > 9.03.02.02 - Ensure that 'Public Network Access' is 'Disabled' for storage accounts
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.02 - Networking > 9.03.02.03 - Ensure default network access rule for storage accounts is set to deny
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.03 - Identity and Access Management > 9.03.03.01 - Ensure that 'Default to Microsoft Entra authorization in the Azure portal' is set to 'Enabled'
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.04 - Ensure that 'Secure transfer required' is set to 'Enabled'
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.05 - Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.06 - Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.07 - Ensure 'Cross Tenant Replication' is not enabled
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.08 - Ensure that 'Allow Blob Anonymous Access' is set to 'Disabled'
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.09 - Ensure Azure Resource Manager Delete locks are applied to Azure Storage Accounts
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.10 - Ensure Azure Resource Manager ReadOnly locks are considered for Azure Storage Accounts
Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.11 - Ensure Redundancy is set to 'geo-redundant storage (GRS)' on critical Azure Storage Accounts

Policy Specification

Schema Type	`string`
Default	`Per Azure > CIS v5.0`
Valid Values [YAML]	`Per Azure > CIS v5.0` `Skip` `Check: All CIS Benchmarks except attestations` `Check: All CIS Benchmarks`
Examples [YAML]	`Skip`

In Your Workspace

Policy Settings by Type report

Developers

Category URI

tmod:@turbot/cis#/control/categories/cis

Policy Type URI

tmod:@turbot/azure-cisv5-0#/policy/types/s09

GraphQL

query policyType(id: "tmod:@turbot/azure-cisv5-0#/policy/types/s09") { … }

query policySettings(filter: "policyTypeId:'tmod:@turbot/azure-cisv5-0#/policy/types/s09'") { … }

query policyValues(filter: "policyTypeId:'tmod:@turbot/azure-cisv5-0#/policy/types/s09'") { … }

CLI

Get Policy Type

turbot graphql policy-type --id "tmod:@turbot/azure-cisv5-0#/policy/types/s09"

Get Policy Settings

turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/azure-cisv5-0#/policy/types/s09"