Resource Type: Azure > Storage > Storage Account

Resource Context

Storage Account is a part of the Storage service.

Each Storage Account lives under a Resource Group.

Controls

The primary controls for Azure > Storage > Storage Account are:

• Access Keys
• Access Tier
• Active
• Approved
• Blob
• Blob Public Access
• CMDB
• Configured
• Data Protection
• Discovery
• Encryption at Rest
• Encryption in Transit
• Firewall
• Minimum TLS Version
• Queue
• ServiceNow
• Table
• Tags

It is also targeted by these controls:

• Azure > CIS v1 > 3 Storage > 3.01 Ensure that 'Secure transfer required' is set to 'Enabled' (Scored)
• Azure > CIS v1 > 3 Storage > 3.02 Ensure that storage account access keys are periodically regenerated (Not Scored)
• Azure > CIS v1 > 3 Storage > 3.03 Ensure Storage logging is enabled for Queue service for read, write, and delete requests (Not Scored)
• Azure > CIS v1 > 3 Storage > 3.04 Ensure that shared access signature tokens expire within an hour (Not Scored)
• Azure > CIS v1 > 3 Storage > 3.05 Ensure that shared access signature tokens are allowed only over https (Not Scored)
• Azure > CIS v1 > 3 Storage > 3.07 Ensure default network access rule for Storage Accounts is set to deny (Scored)
• Azure > CIS v1 > 3 Storage > 3.08 Ensure 'Trusted Microsoft Services' is enabled for Storage Account access (Not Scored)
• Azure > CIS v2.0 > 03 - Storage Accounts > 3.01 - Ensure that 'Secure transfer required' is set to 'Enabled'
• Azure > CIS v2.0 > 03 - Storage Accounts > 3.02 - Ensure that `Enable Infrastructure Encryption` for Each Storage Account in Azure Storage is Set to `enabled`
• Azure > CIS v2.0 > 03 - Storage Accounts > 3.03 - Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
• Azure > CIS v2.0 > 03 - Storage Accounts > 3.04 - Ensure that Storage Account Access Keys are Periodically Regenerated
• Azure > CIS v2.0 > 03 - Storage Accounts > 3.05 - Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests
• Azure > CIS v2.0 > 03 - Storage Accounts > 3.06 - Ensure that Shared Access Signature Tokens Expire Within an Hour
• Azure > CIS v2.0 > 03 - Storage Accounts > 3.08 - Ensure Default Network Access Rule for Storage Accounts is Set to Deny
• Azure > CIS v2.0 > 03 - Storage Accounts > 3.09 - Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access
• Azure > CIS v2.0 > 03 - Storage Accounts > 3.10 - Ensure Private Endpoints are used to access Storage Accounts
• Azure > CIS v2.0 > 03 - Storage Accounts > 3.11 - Ensure Soft Delete is Enabled for Azure Containers and Blob Storage
• Azure > CIS v2.0 > 03 - Storage Accounts > 3.12 - Ensure Storage for Critical Data are Encrypted with Customer Managed Keys
• Azure > CIS v2.0 > 03 - Storage Accounts > 3.13 - Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests
• Azure > CIS v2.0 > 03 - Storage Accounts > 3.15 - Ensure the "Minimum TLS version" for storage accounts is set to "Version 1.2"
• Azure > Storage > Access Key > Discovery
• Azure > Storage > Container > Discovery
• Azure > Storage > FileShare > Discovery
• Azure > Storage > Queue > Discovery

Category

• Other

In Your Workspace

• Controls by Resource Type report
• Policy Settings by Resource Type report
• Resources by Resource Type report

Developers

Resource Type URI

tmod:@turbot/azure-storage#/resource/types/storageAccount

Category URI

tmod:@turbot/turbot#/resource/categories/other

GraphQL

query resource(id: "tmod:@turbot/azure-storage#/resource/types/storageAccount") { … }

query resourceActivities(filter: "resourceId:'tmod:@turbot/azure-storage#/resource/types/storageAccount'") { … }

mutation createResource(input: { … })

mutation updateResource(input: { … })

CLI

Get Resource

turbot graphql resource --id "tmod:@turbot/azure-storage#/resource/types/storageAccount"

Steampipe Query

Get Resource

select * from guardrails_resource where resource_type_uri = 'tmod:@turbot/azure-storage#/resource/types/storageAccount';

Get Policy Settings (By Resource ID)

select * from guardrails_policy_setting where filter = 'resourceTypeId:"tmod:@turbot/azure-storage#/resource/types/storageAccount"';

Get Resource Notification

select * from guardrails_notification where resource_type_uri = 'tmod:@turbot/azure-storage#/resource/types/storageAccount' and notification_type in ('resource_updated', 'resource_created');