Loading controls...
Benchmark: Storage
Description
This benchmark provides a set of controls that detect Terraform Azure Storage resources deviating from security best practices.
Usage
Browse dashboards and select Storage:
steampipe dashboard
Or run the benchmarks in your terminal:
steampipe check terraform_azure_compliance.benchmark.storage
Snapshot and share results via Steampipe Cloud:
steampipe loginsteampipe check --share terraform_azure_compliance.benchmark.storage
Controls
- Ensure that 'Public access level' is set to Private for blob containers
- Ensure Storage logging is enabled for Blob service for read, write, and delete requests
- Storage account public access should be disallowed
- Storage accounts should restrict network access
- Storage accounts should use customer-managed key for encryption
- Storage account encryption scopes should use customer-managed keys to encrypt data at rest
- Storage accounts should have infrastructure encryption
- Ensure Storage logging is enabled for Queue service for read, write, and delete requests
- Storage accounts should have replication type set
- Storage accounts should restrict network access using virtual network rules
- Secure transfer to storage accounts should be enabled
- Ensure 'Trusted Microsoft Services' is enabled for Storage Account access
- Storage Accounts should use a virtual network service endpoint
- Storage accounts should be migrated to new Azure Resource Manager resources
- Storage accounts should use latest minimum TLS version
- Storage accounts should use private link
- Azure Defender for Storage should be enabled
- Storage container public access should be disabled