AzPolicyAdvertizer

last sync: 2024-Nov-25 18:54:24 UTC

Storage Accounts should restrict CORS rules

Azure Landing Zones (ALZ) Policy definition

Source

Repository Azure Landing Zones (ALZ) GitHub
JSON Deny-Storage-CorsRules

Deploy policy Deny-Storage-CorsRules (1.0.0) to Azure

Display name

Storage Accounts should restrict CORS rules

Deny-Storage-CorsRules

Version

1.0.0
Details on versioning

Category

Storage

Description

Deny CORS rules for storage account for increased data exfiltration protection and endpoint protection.

Mode

All

Type

Custom Azure Landing Zones (ALZ)

Preview

False

Deprecated

False

Effect

Default
Deny
Allowed
Audit, Deny, Disabled

RBAC role(s)

none

Rule aliases

IF (4)

Alias	Namespace	ResourceType	Path	PathIsDefault	Modifiable
Microsoft.Storage/storageAccounts/blobServices/cors.corsRules[*]	Microsoft.Storage	storageAccounts/blobServices	properties.cors.corsRules[*]	True	True
Microsoft.Storage/storageAccounts/fileServices/cors.corsRules[*]	Microsoft.Storage	storageAccounts/fileServices	properties.cors.corsRules[*]	True	False
Microsoft.Storage/storageAccounts/queueServices/cors.corsRules[*]	Microsoft.Storage	storageAccounts/queueServices	properties.cors.corsRules[*]	True	False
Microsoft.Storage/storageAccounts/tableServices/cors.corsRules[*]	Microsoft.Storage	storageAccounts/tableServices	properties.cors.corsRules[*]	True	False

Rule resource types

IF (4)
Microsoft.Storage/storageAccounts/blobServices
Microsoft.Storage/storageAccounts/fileServices
Microsoft.Storage/storageAccounts/queueServices
Microsoft.Storage/storageAccounts/tableServices

Initiatives usage

Initiative DisplayName	Initiative Id	Initiative Category	State
Enforce recommended guardrails for Storage Account	Enforce-Guardrails-Storage	Storage	GA

History

Date/Time (UTC ymd) (i)	Change type	Change detail
2024-06-03 17:39:43	add	Deny-Storage-CorsRules

JSON compare

n/a

JSON

EPAC