Azure Storage Security Checklist

1. Identity and Access Management

  1. Use Microsoft Entra ID for Authentication instead of Storage Account Keys wherever possible
  2. Disable Shared Key Access if not required
  3. Use Role-Based Access Control with Least Privilege
  4. Assign Roles at the Lowest Possible Scope
  5. Avoid using Root or Owner Roles for Daily Operations
  6. Use Managed Identities for Applications and Services
  7. Regularly Review and Remove Unused Role Assignments

2. Network Security

  1. Restrict access using Storage Account Firewalls
  2. Allow Access only from Trusted IP Ranges
  3. Use Private Endpoints for Secure Access
  4. Disable Public Network Access when not required
  5. Use Service Endpoints where Private Endpoints are not feasible
  6. Enable Secure Transfer required HTTPS only
  7. Monitor Network Access Logs

3. Data Protection

  1. Enable Encryption at Rest (Enabled by default)
  2. Use Customer-Managed Keys where required
  3. Rotate Encryption Keys regularly
  4. Enable Soft Delete for Blobs, Files, and Containers
  5. Enable Versioning for Blob Storage
  6. Enable Immutable Blob Storage for Critical Data
  7. Use Secure Backup Strategies

4. Access Keys and Secrets Management

  1. Avoid Storing Access Keys in Code or Scripts
  2. Rotate Storage Account Keys Regularly
  3. Use Azure Key Vault to Store Secrets Securely
  4. Monitor Usage of Access Keys
  5. Prefer SAS Tokens over Account Keys
  6. Use short-lived SAS Tokens with Minimal Permissions

5. Shared Access Signature (SAS) Security

  1. Use SAS Tokens with Least Privilege Permissions
  2. Set Expiration Times for all SAS Tokens
  3. Restrict SAS Tokens by IP Address where possible
  4. Avoid using Account-Level SAS unless required
  5. Monitor SAS usage

6. Logging and Monitoring

  1. Enable Diagnostic Logging for Storage Accounts
  2. Send logs to Log Analytics or SIEM
  3. Monitor Access Patterns and Anomalies
  4. Enable Alerts for Suspicious Activities
  5. Review Logs Regularly
  6. Enable Azure Monitor Metrics

7. Data Lifecycle and Governance

  1. Implement Lifecycle Management Policies
  2. Automatically move Data between Hot, Cool, and Archive Tiers
  3. Delete Unused or Stale Data
  4. Classify and Tag Data Appropriately
  5. Enforce Retention Policies
  6. Monitor Compliance Requirements

8. Backup and Disaster Recovery

  1. Enable Geo-Redundant Storage where required
  2. Use Backup Solutions for Critical Data
  3. Test Restore Procedures Regularly
  4. Enable Point-In-Time Restore for Blobs
  5. Protect Against Accidental Deletion

9. Threat Protection

  1. Enable Microsoft Defender for Storage
  2. Monitor for unusual Access Patterns
  3. Detect Data Exfiltration Attempts
  4. Enable Alerts for Suspicious Behavior
  5. Investigate Anomalies Promptly

10. Secure Configuration and Hardening

  1. Use Azure Policy to Enforce Security Standards
  2. Regularly review Storage Account Configurations
  3. Disable unused Services And Endpoints
  4. Ensure minimal Exposure to the Internet
  5. Keep Configurations Aligned with Best Practices

11. Continuous Security Operations

  1. Perform Regular Security Assessments
  2. Use Secure Score to Identify Improvements
  3. Conduct Periodic Audits
  4. Continuously Monitor Storage usage and access
  5. Update Policies Based on Evolving Threats
  6. Document and Maintain Configurations

Always use best practices. Never assume trust. Always verify access. Security is not static and must be continuously monitored, reviewed, and improved. 

0 comments

Leave a comment

Please note, comments need to be approved before they are published.