Turbot Guardrails Hub 
Hub
  • Mods
  • Policy Packs
  • Docs
  • Home
ModsPolicy PacksDocsHome
Mods
Azure
Loading policies...

Policy: Azure > CIS v5.0 > 9 - Storage Services

This section covers security best practice recommendations for products in the Azure Storage services category.

This includes Azure Blob Storage, Azure Files, and Azure Storage Account configuration.

Primary Policy

This policy is used with the following primary policy:

  • Azure > CIS v5.0

Related Policies

  • 9.01 - Azure Files
  • 9.02 - Azure Blob Storage
  • 9.03 - Storage Accounts
  • Maximum Attestation Duration

Controls

Setting this policy configures these controls:

  • Azure > CIS v5.0 > 9 - Storage Services > 9.01 - Azure Files > 9.01.01 - Ensure soft delete for Azure File Shares is Enabled
  • Azure > CIS v5.0 > 9 - Storage Services > 9.01 - Azure Files > 9.01.02 - Ensure 'SMB protocol version' is set to 'SMB 3.1.1' or higher for SMB file shares
  • Azure > CIS v5.0 > 9 - Storage Services > 9.01 - Azure Files > 9.01.03 - Ensure 'SMB channel encryption' is set to 'AES-256-GCM' or higher for SMB file shares
  • Azure > CIS v5.0 > 9 - Storage Services > 9.02 - Azure Blob Storage > 9.02.01 - Ensure that soft delete for blobs on Azure Blob Storage storage accounts is Enabled
  • Azure > CIS v5.0 > 9 - Storage Services > 9.02 - Azure Blob Storage > 9.02.02 - Ensure that soft delete for containers on Azure Blob Storage storage accounts is Enabled
  • Azure > CIS v5.0 > 9 - Storage Services > 9.02 - Azure Blob Storage > 9.02.03 - Ensure 'Versioning' is set to 'Enabled' on Azure Blob Storage storage accounts
  • Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.01 - Secrets and Keys > 9.03.01.01 - Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
  • Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.01 - Secrets and Keys > 9.03.01.02 - Ensure that Storage Account Access Keys are Periodically Regenerated
  • Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.01 - Secrets and Keys > 9.03.01.03 - Ensure 'Allow storage account key access' for Azure Storage Accounts is 'Disabled'
  • Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.02 - Networking > 9.03.02.01 - Ensure Private Endpoints are used to access Storage Accounts
  • Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.02 - Networking > 9.03.02.02 - Ensure that 'Public Network Access' is 'Disabled' for storage accounts
  • Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.02 - Networking > 9.03.02.03 - Ensure default network access rule for storage accounts is set to deny
  • Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.03 - Identity and Access Management > 9.03.03.01 - Ensure that 'Default to Microsoft Entra authorization in the Azure portal' is set to 'Enabled'
  • Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.04 - Ensure that 'Secure transfer required' is set to 'Enabled'
  • Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.05 - Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access
  • Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.06 - Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'
  • Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.07 - Ensure 'Cross Tenant Replication' is not enabled
  • Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.08 - Ensure that 'Allow Blob Anonymous Access' is set to 'Disabled'
  • Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.09 - Ensure Azure Resource Manager Delete locks are applied to Azure Storage Accounts
  • Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.10 - Ensure Azure Resource Manager ReadOnly locks are considered for Azure Storage Accounts
  • Azure > CIS v5.0 > 9 - Storage Services > 9.03 - Storage Accounts > 9.03.11 - Ensure Redundancy is set to 'geo-redundant storage (GRS)' on critical Azure Storage Accounts

Policy Specification

Schema Type
string
Default
Per Azure > CIS v5.0
Valid Values [YAML]
  • Per Azure > CIS v5.0

  • Skip

  • Check: All CIS Benchmarks except attestations

  • Check: All CIS Benchmarks
Examples [YAML]
  • Skip

Category

  • CIS

In Your Workspace

  • Policy Settings by Type report

Developers

    Category URI
    • tmod:@turbot/cis#/control/categories/cis
    • Policy Type URI
    • tmod:@turbot/azure-cisv5-0#/policy/types/s09
    • GraphQL
    • query policyType(id: "tmod:@turbot/azure-cisv5-0#/policy/types/s09") { … }
    • query policySettings(filter: "policyTypeId:'tmod:@turbot/azure-cisv5-0#/policy/types/s09'") { … }
    • query policyValues(filter: "policyTypeId:'tmod:@turbot/azure-cisv5-0#/policy/types/s09'") { … }
    • CLI
    • Get Policy Type
    • turbot graphql policy-type --id "tmod:@turbot/azure-cisv5-0#/policy/types/s09"
      • Get Policy Settings
    • turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/azure-cisv5-0#/policy/types/s09"
Guardrails
Guardrails Hub
  • Hub
  • Docs
  • Blog
  • Changelog
Products
  • GuardrailsGuardrails
  • PipesPipes
  • SteampipeSteampipe
  • PowerpipePowerpipe
  • FlowpipeFlowpipe
  • TailpipeTailpipe
Turbot
  • Home
  • About us
  • We're hiring!
  • Contact us
Community

Our community of practitioners love to discuss cloud governance & security.

Slack logoJoin us on Slack →

System StatusLegalSecurity
Terms of UseSecurityPrivacy
50
Mods
207
Resource Types
3,612
Policies
1,957
Controls
103
Quick Actions
114
IAM