AzPolicyAdvertizer

last sync: 2024-Sep-18 17:50:24 UTC

Storage accounts should prevent shared key access

Azure BuiltIn Policy definition

Source

Azure Portal

Display name

Storage accounts should prevent shared key access

8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54

Version

2.0.0
Details on versioning

Versioning

Versions supported for Versioning: 1
2.0.0
Built-in Versioning [Preview]

Category

Storage
Microsoft Learn

Description

Audit requirement of Azure Active Directory (Azure AD) to authorize requests for your storage account. By default, requests can be authorized with either Azure Active Directory credentials, or by using the account access key for Shared Key authorization. Of these two types of authorization, Azure AD provides superior security and ease of use over Shared Key, and is recommended by Microsoft.

Mode

Indexed

Type

BuiltIn

Preview

False

Deprecated

False

Effect

Default
Audit
Allowed
Audit, Deny, Disabled

RBAC role(s)

none

Rule aliases

IF (1)

Alias	Namespace	ResourceType	Path	PathIsDefault	DefaultPath	Modifiable
Microsoft.Storage/storageAccounts/allowSharedKeyAccess	Microsoft.Storage	storageAccounts	properties.allowSharedKeyAccess	True		True

Rule resource types

IF (1)
Microsoft.Storage/storageAccounts

Compliance

The following 6 compliance controls are associated with this Policy definition 'Storage accounts should prevent shared key access' (8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54)

Control Domain	Control	Name	MetadataId	Category	Title	Owner	Requirements	Description	Info	Policy#
Azure_Security_Benchmark_v3.0	IM-1	Azure_Security_Benchmark_v3.0_IM-1	Microsoft cloud security benchmark IM-1	Identity Management	Use centralized identity and authentication system	Shared	Security Principle: Use a centralized identity and authentication system to govern your organization's identities and authentications for cloud and non-cloud resources. Azure Guidance: Microsoft Entra ID is Azure's identity and authentication management service. You should standardize on Microsoft Entra ID to govern your organization's identity and authentication in: - Microsoft cloud resources, such as the Azure Storage, Azure Virtual Machines (Linux and Windows), Azure Key Vault, PaaS, and SaaS applications. - Your organization's resources, such as applications on Azure, third-party applications running on your corporate network resources, and third-party SaaS applications. - Your enterprise identities in Active Directory by synchronization to Microsoft Entra ID to ensure a consistent and centrally managed identity strategy. Note: As soon as it is technically feasible, you should migrate on-premises Active Directory based applications to Microsoft Entra ID. This could be a Microsoft Entra Enterprise Directory, Business to Business configuration, or Business to consumer configuration. Implementation and additional context: Tenancy in Microsoft Entra ID: https://docs.microsoft.com/azure/active-directory/develop/single-and-multi-tenant-apps How to create and configure a Microsoft Entra instance: https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-access-create-new-tenant Define Microsoft Entra ID tenants: https://azure.microsoft.com/resources/securing-azure-environments-with-azure-active-directory/ Use external identity providers for an application: https://docs.microsoft.com/azure/active-directory/b2b/identity-providers	n/a	link	15
New_Zealand_ISM	16.1.32.C.01	New_Zealand_ISM_16.1.32.C.01	New_Zealand_ISM_16.1.32.C.01	16. Access Control and Passwords	Identification		n/a	Agencies MUST ensure that all system users are uniquely identifiable; and authenticated on each occasion that access is granted to a system.		18
	U.07.3 - Management features	U.07.3 - Management features	404 not found				n/a	n/a		19
	U.10.2 - Users	U.10.2 - Users	404 not found				n/a	n/a		25
	U.10.3 - Users	U.10.3 - Users	404 not found				n/a	n/a		26
	U.10.5 - Competent	U.10.5 - Competent	404 not found				n/a	n/a		24

Initiatives usage

Initiative DisplayName	Initiative Id	Initiative Category	State	Type
Enforce recommended guardrails for Storage Account	Enforce-Guardrails-Storage	Storage	GA	ALZ
Microsoft cloud security benchmark	1f3afdf9-d0c9-4c3d-847f-89da613e70a8	Security Center	GA	BuiltIn
New Zealand ISM	4f5b1359-4f8e-4d7c-9733-ea47fcde891e	Regulatory Compliance	GA	BuiltIn
NL BIO Cloud Theme	6ce73208-883e-490f-a2ac-44aac3b3687f	Regulatory Compliance	GA	BuiltIn

History

Date/Time (UTC ymd) (i)	Change type	Change detail
2022-09-23 16:35:49	change	Major (1.0.0 > 2.0.0)
2021-06-22 14:29:30	add	8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54

JSON compare

compare mode: version left: version right:

JSON

api-version=2021-06-01
EPAC