AzPolicyAdvertizer

last sync: 2024-Nov-25 18:54:24 UTC

Storage accounts should prevent shared key access

Azure BuiltIn Policy definition

Source Azure Portal
Display name Storage accounts should prevent shared key access
Id 8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54
Version 2.0.0
Details on versioning
Versioning Versions supported for Versioning: 1
2.0.0
Built-in Versioning [Preview]
Category Storage
Microsoft Learn
Description Audit requirement of Azure Active Directory (Azure AD) to authorize requests for your storage account. By default, requests can be authorized with either Azure Active Directory credentials, or by using the account access key for Shared Key authorization. Of these two types of authorization, Azure AD provides superior security and ease of use over Shared Key, and is recommended by Microsoft.
Mode Indexed
Type BuiltIn
Preview False
Deprecated False
Effect Default
Audit
Allowed
Audit, Deny, Disabled
RBAC role(s) none
Rule aliases IF (1)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.Storage/storageAccounts/allowSharedKeyAccess Microsoft.Storage storageAccounts properties.allowSharedKeyAccess True True
Rule resource types IF (1)
Microsoft.Storage/storageAccounts
Compliance
The following 10 compliance controls are associated with this Policy definition 'Storage accounts should prevent shared key access' (8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v3.0 IM-1 Azure_Security_Benchmark_v3.0_IM-1 Microsoft cloud security benchmark IM-1 Identity Management Use centralized identity and authentication system Shared **Security Principle:** Use a centralized identity and authentication system to govern your organization's identities and authentications for cloud and non-cloud resources. **Azure Guidance:** Microsoft Entra ID is Azure's identity and authentication management service. You should standardize on Microsoft Entra ID to govern your organization's identity and authentication in: - Microsoft cloud resources, such as the Azure Storage, Azure Virtual Machines (Linux and Windows), Azure Key Vault, PaaS, and SaaS applications. - Your organization's resources, such as applications on Azure, third-party applications running on your corporate network resources, and third-party SaaS applications. - Your enterprise identities in Active Directory by synchronization to Microsoft Entra ID to ensure a consistent and centrally managed identity strategy. Note: As soon as it is technically feasible, you should migrate on-premises Active Directory based applications to Microsoft Entra ID. This could be a Microsoft Entra Enterprise Directory, Business to Business configuration, or Business to consumer configuration. **Implementation and additional context:** Tenancy in Microsoft Entra ID: https://docs.microsoft.com/azure/active-directory/develop/single-and-multi-tenant-apps How to create and configure a Microsoft Entra instance: https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-access-create-new-tenant Define Microsoft Entra ID tenants: https://azure.microsoft.com/resources/securing-azure-environments-with-azure-active-directory/ Use external identity providers for an application: https://docs.microsoft.com/azure/active-directory/b2b/identity-providers n/a link 15
New_Zealand_ISM 16.1.32.C.01 New_Zealand_ISM_16.1.32.C.01 New_Zealand_ISM_16.1.32.C.01 16. Access Control and Passwords 16.1.32.C.01 System user identification n/a Agencies MUST ensure that all system users are: uniquely identifiable; and authenticated on each occasion that access is granted to a system. 18
NL_BIO_Cloud_Theme U.07.3(2) NL_BIO_Cloud_Theme_U.07.3(2) NL_BIO_Cloud_Theme_U.07.3(2) U.07 Data separation Management features n/a Isolation of CSC data is ensured by separating it at least logically from the data of other CSCs under all operating conditions. 19
NL_BIO_Cloud_Theme U.10.2(2) NL_BIO_Cloud_Theme_U.10.2(2) NL_BIO_Cloud_Theme_U.10.2(2) U.10 Access to IT services and data Users n/a Under the responsibility of the CSP, administrators shall be granted access: to data with the least privilege principle; to data with the need-to-know principle; with multi-factor authentication; to data and application functions via technical measures. 25
NL_BIO_Cloud_Theme U.10.3(2) NL_BIO_Cloud_Theme_U.10.3(2) NL_BIO_Cloud_Theme_U.10.3(2) U.10 Access to IT services and data Users n/a Only users with authenticated equipment can access IT services and data. 32
NL_BIO_Cloud_Theme U.10.5(2) NL_BIO_Cloud_Theme_U.10.5(2) NL_BIO_Cloud_Theme_U.10.5(2) U.10 Access to IT services and data Competent n/a Under the responsibility of the CSP, privileges (system authorisations) for users are granted through formal procedures. 25
U.07.3 - Management features U.07.3 - Management features 404 not found n/a n/a 19
U.10.2 - Users U.10.2 - Users 404 not found n/a n/a 25
U.10.3 - Users U.10.3 - Users 404 not found n/a n/a 26
U.10.5 - Competent U.10.5 - Competent 404 not found n/a n/a 24
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
Enforce recommended guardrails for Storage Account Enforce-Guardrails-Storage Storage GA ALZ
Microsoft cloud security benchmark 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 Security Center GA BuiltIn
New Zealand ISM 4f5b1359-4f8e-4d7c-9733-ea47fcde891e Regulatory Compliance GA BuiltIn
NL BIO Cloud Theme 6ce73208-883e-490f-a2ac-44aac3b3687f Regulatory Compliance GA BuiltIn
NL BIO Cloud Theme V2 d8b2ffbe-c6a8-4622-965d-4ade11d1d2ee Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-23 16:35:49 change Major (1.0.0 > 2.0.0)
2021-06-22 14:29:30 add 8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC