Azure Storage 漏洞列表

Ensure that a Microsoft Azure activity log alert is fired whenever a "Delete Storage Account" event is triggered within your cloud account. An Azure activity log alert fires each time the event that matches the condition specified in the alert configuration is triggered. The alert condition that this conformity rule checks for is "Whenever the Administrative Activity Log 'Delete Storage Account (Microsoft.Storage/storageAccounts)' has 'any' Event level, with 'any' status and event is initiated by 'any'".

Ensure that an Azure activity log alert is fired whenever "Create/Update Storage Account" events are triggered in your Microsoft Azure cloud account. Activity log alerts get triggered when a new activity log event that matches the condition specified in the alert configuration occurs. For this conformity rule, the matched condition is `Whenever the Activity Log has an event with Category="Administrative", Signal name="Create/Update Storage Account (Microsoft.Storage/storageAccounts)"`.

Ensure that public (anonymous) access is disabled for all the blob containers available within your Microsoft Azure storage accounts in order to protect your data against unauthorized access. Disabling public access at the storage account level overrides the public access setting configured for the individual blob containers in that storage account.

Ensure that your Azure Storage accounts are using customer-managed keys (also known as Bring Your Own Keys - BYOKs) instead of service-managed keys (default keys used by Microsoft Azure for data encryption), in order to have a more granular control over your Azure Storage data encryption and decryption process.

Ensure that your Microsoft Azure Storage accounts are using Customer Managed Keys (CMKs) instead of Microsoft Managed Keys (i.e., default keys used by Microsoft Azure for data encryption), in order to have more granular control over your Azure Storage data encryption and decryption process.

Ensure that the Cross-Tenant Replication feature is disabled for your Azure Storage accounts in order to prevent object replication across Microsoft Entra tenants. Cross-Tenant Replication enables replication of data across different Microsoft Entra tenants, allowing for redundancy and disaster recovery across organizational boundaries. Although advantageous for data accessibility and sharing, this feature also poses a significant security risk if not properly managed. Potential risks include unauthorized data access, data leakage, and compliance breaches.

Ensure that Infrastructure Encryption feature is enabled for your Azure Storage accounts in order to use encryption at the hardware level on top of the default software encryption provided by Microsoft Azure cloud.

Ensure that your Microsoft Azure Storage account is configured to deny access to traffic from all networks (including Internet traffic). By restricting access to your storage account default network, you add a new layer of security, since the default action is to accept connections from clients on any network. To limit access to selected networks or IP addresses, you must first change the default action from "Allow" to "Deny".

Ensure that your Microsoft Azure Storage shared access signatures don't have full access to your storage account resources (i.e. blob objects, files, tables, and queues) via stored access policies. A stored access policy provides an additional level of control over service-level shared access signatures, enhancing security by managing constraints for one or more shared access signatures.

Ensure that private endpoints are configured for Microsoft Azure Storage accounts in order to allow clients and services to securely access data located over a network via an encrypted Private Link connection.

Ensure that the Microsoft Azure storage container where the exported activity log files are saved is not publicly accessible from the Internet, in order to avoid exposing sensitive data and minimize security risks.

Ensure that Microsoft Azure Storage Queue service logging is enabled for read, write, and delete requests. The Storage Queue service records details of both successful and failed requests, including end-to-end latency, server latency, and authentication information, which is crucial for security and compliance.

Ensure that all the Microsoft Azure Storage accounts configured to host static websites are regularly reviewed for security and compliance purposes. Upon enabling this rule on your Cloud Conformity console, you must specify the storage account or the list of storage accounts that are expected to host static content (HTML, CSS, JavaScript, and image files).

Ensure that Azure Storage Table service logging is enabled for read, write, and delete requests. The Azure Storage Table service stores structured NoSQL data in the cloud, providing a key/attribute store with a schema-less design. Storage logging is performed server-side and allows details for both successful and failed requests to be recorded in the associated storage account.

Ensure that "Allow trusted Microsoft services to access this storage account" exception is enabled within your Azure Storage account configuration settings to grant access to trusted cloud services.