AzInitiativeAdvertizer

last sync: 2024-Sep-18 17:50:42 UTC

Enforce recommended guardrails for Storage Account

Azure Landing Zones (ALZ) Policy Initiative (PolicySet)

Source Repository Azure Landing Zones (ALZ) GitHub
JSON Enforce-Guardrails-Storage
Display nameEnforce recommended guardrails for Storage Account
IdEnforce-Guardrails-Storage
Version1.0.0
Details on versioning
CategoryStorage
DescriptionThis policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.
TypeCustom Azure Landing Zones (ALZ)
DeprecatedFalse
PreviewFalse
Policy count Total Policies: 22
Builtin Policies: 12
Static Policies: 0
ALZ Policies: 10
Policy used
Policy DisplayName Policy Id Category Effect Roles# Roles State Type
Allowed Copy scope should be restricted for Storage Accounts Deny-Storage-CopyScope Storage Default
Deny
Allowed
Audit, Deny, Disabled		 0 GA ALZ
Configure storage accounts to disable public network access a06d0189-92e8-4dba-b0c4-08d7669fce7d Storage Default
Modify
Allowed
Modify, Disabled		 1 Storage Account Contributor GA BuiltIn
Configure your Storage account public access to be disallowed 13502221-8df0-4414-9937-de9c5c4e396b Storage Default
Modify
Allowed
Modify, Disabled		 1 Storage Account Contributor GA BuiltIn
Deploy Defender for Storage (Classic) on storage accounts 361c2074-3595-4e5d-8cab-4f21dffc835c Storage Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled		 1 Security Admin GA BuiltIn
Encryption for storage services should be enforced for Storage Accounts Deny-Storage-ServicesEncryption Storage Default
Deny
Allowed
Audit, Deny, Disabled		 0 GA ALZ
Local users should be restricted for Storage Accounts Deny-Storage-LocalUser Storage Default
Deny
Allowed
Audit, Deny, Disabled		 0 GA ALZ
Modify - Configure Azure File Sync to disable public network access 0e07b2e9-6cd9-4c40-9ccb-52817b95133b Storage Default
Modify
Allowed
Modify, Disabled		 1 Contributor GA BuiltIn
Network ACL bypass option should be restricted for Storage Accounts Deny-Storage-NetworkAclsBypass Storage Default
Deny
Allowed
Audit, Deny, Disabled		 0 GA ALZ
Resource Access Rules resource IDs should be restricted for Storage Accounts Deny-Storage-ResourceAccessRulesResourceId Storage Default
Deny
Allowed
Audit, Deny, Disabled		 0 GA ALZ
Resource Access Rules Tenants should be restricted for Storage Accounts Deny-Storage-ResourceAccessRulesTenantId Storage Default
Deny
Allowed
Audit, Deny, Disabled		 0 GA ALZ
Storage account encryption scopes should use double encryption for data at rest bfecdea6-31c4-4045-ad42-71b9dc87247d Storage Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA BuiltIn
Storage account keys should not be expired 044985bb-afe1-42cd-8a36-9d5d42424537 Storage Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA BuiltIn
Storage accounts should be migrated to new Azure Resource Manager resources 37e0d2fe-28a5-43d6-a273-67d37d1f5606 Storage Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA BuiltIn
Storage accounts should have infrastructure encryption 4733ea7b-a883-42fe-8cac-97454c2a9e4a Storage Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA BuiltIn
Storage accounts should prevent cross tenant object replication 92a89a79-6c52-4a7e-a03f-61306fc49312 Storage Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA BuiltIn
Storage accounts should prevent shared key access 8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54 Storage Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA BuiltIn
Storage Accounts should restrict CORS rules Deny-Storage-CorsRules Storage Default
Deny
Allowed
Audit, Deny, Disabled		 0 GA ALZ
Storage accounts should restrict network access 34c877ad-507e-4c82-993e-3452a6e0ad3c Storage Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA BuiltIn
Storage accounts should restrict network access using virtual network rules 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f Storage Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA BuiltIn
Storage Accounts should use a container delete retention policy Deny-Storage-ContainerDeleteRetentionPolicy Storage Default
Deny
Allowed
Audit, Deny, Disabled		 0 GA ALZ
Storage Accounts with SFTP enabled should be denied Deny-Storage-SFTP Storage Default
Deny
Allowed
Audit, Deny, Disabled		 0 GA ALZ
Virtual network rules should be restricted for Storage Accounts Deny-Storage-NetworkAclsVirtualNetworkRules Storage Default
Deny
Allowed
Audit, Deny, Disabled		 0 GA ALZ
Roles used
History none
JSON compare n/a
JSON
EPAC