CloudWiki
Resource

Storage Account

Microsoft Azure
Storage
An Azure Storage Account is a cloud-based storage solution that can be used to store and manage data for applications and services hosted in Azure or on-premises. Azure Storage Account offers several types of data storage services, including Blob storage for unstructured data such as images, videos, and documents, File storage for file shares that can be accessed by multiple virtual machines, Queue storage for reliable messaging between application components, and Table storage for structured data storage that can be accessed using REST APIs. Azure Storage Account provides high durability, availability, and scalability, allowing users to store and manage large amounts of data. It also supports multiple data redundancy options, including locally redundant storage (LRS), zone-redundant storage (ZRS), geo-redundant storage (GRS), and read-access geo-redundant storage (RA-GRS), to protect data against hardware failures, natural disasters, or other unexpected events.‍
Terraform Name
terraform
azurerm_storage_account
Config.
Costs
Best Practices
Blogs
Storage Account
attributes:

The following arguments are supported:

  • name - (Required) Specifies the name of the storage account. Only lowercase Alphanumeric characters allowed. Changing this forces a new resource to be created. This must be unique across the entire Azure service, not just within the resource group.
  • resource_group_name - (Required) The name of the resource group in which to create the storage account. Changing this forces a new resource to be created.
  • location - (Required) Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.
  • account_kind - (Optional) Defines the Kind of account. Valid options are BlobStorage, BlockBlobStorage, FileStorage, Storage and StorageV2. Defaults to StorageV2.

NOTE:

Changing the account_kind value from Storage to StorageV2 will not trigger a force new on the storage account, it will only upgrade the existing storage account from Storage to StorageV2 keeping the existing storage account in place.

  • account_tier - (Required) Defines the Tier to use for this storage account. Valid options are Standard and Premium. For BlockBlobStorage and FileStorage accounts only Premium is valid. Changing this forces a new resource to be created.

NOTE:

Blobs with a tier of Premium are of account kind StorageV2.

  • account_replication_type - (Required) Defines the type of replication to use for this storage account. Valid options are LRS, GRS, RAGRS, ZRS, GZRS and RAGZRS.
  • cross_tenant_replication_enabled - (Optional) Should cross Tenant replication be enabled? Defaults to true.
  • access_tier - (Optional) Defines the access tier for BlobStorage, FileStorage and StorageV2 accounts. Valid options are Hot and Cool, defaults to Hot.
  • edge_zone - (Optional) Specifies the Edge Zone within the Azure Region where this Storage Account should exist. Changing this forces a new Storage Account to be created.
  • enable_https_traffic_only - (Optional) Boolean flag which forces HTTPS if enabled, see here for more information. Defaults to true.
  • min_tls_version - (Optional) The minimum supported TLS version for the storage account. Possible values are TLS1_0, TLS1_1, and TLS1_2. Defaults to TLS1_2 for new storage accounts.

NOTE:

At this time min_tls_version is only supported in the Public Cloud, China Cloud, and US Government Cloud.

  • allow_nested_items_to_be_public - (Optional) Allow or disallow nested items within this Account to opt into being public. Defaults to true.

NOTE:

At this time allow_nested_items_to_be_public is only supported in the Public Cloud, China Cloud, and US Government Cloud.

  • shared_access_key_enabled - (Optional) Indicates whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). The default value is true.

Note:

Terraform uses Shared Key Authorisation to provision Storage Containers, Blobs and other items - when Shared Key Access is disabled, you will need to enable the storage_use_azuread flag in the Provider block to use Azure AD for authentication, however not all Azure Storage services support Active Directory authentication.

  • public_network_access_enabled - (Optional) Whether the public network access is enabled? Defaults to true.
  • default_to_oauth_authentication - (Optional) Default to Azure Active Directory authorization in the Azure portal when accessing the Storage Account. The default value is false
  • is_hns_enabled - (Optional) Is Hierarchical Namespace enabled? This can be used with Azure Data Lake Storage Gen 2 (see here for more information). Changing this forces a new resource to be created.

NOTE:

This can only be true when account_tier is Standard or when account_tier is Premium and account_kind is BlockBlobStorage

  • nfsv3_enabled - (Optional) Is NFSv3 protocol enabled? Changing this forces a new resource to be created. Defaults to false.

NOTE:

This can only be true when account_tier is Standard and account_kind is StorageV2, or account_tier is Premium and account_kind is BlockBlobStorage. Additionally, the is_hns_enabled is true.

  • custom_domain - (Optional) A custom_domain block as documented below.
  • customer_managed_key - (Optional) A customer_managed_key block as documented below.
  • identity - (Optional) An identity block as defined below.
  • blob_properties - (Optional) A blob_properties block as defined below.
  • queue_properties - (Optional) A queue_properties block as defined below.

NOTE:

queue_properties cannot be set when the account_kind is set to BlobStorage

  • static_website - (Optional) A static_website block as defined below.

NOTE:

static_website can only be set when the account_kind is set to StorageV2 or BlockBlobStorage.

  • share_properties - (Optional) A share_properties block as defined below.
  • network_rules - (Optional) A network_rules block as documented below.
  • large_file_share_enabled - (Optional) Is Large File Share Enabled?
  • azure_files_authentication - (Optional) A azure_files_authentication block as defined below.
  • routing - (Optional) A routing block as defined below.
  • queue_encryption_key_type - (Optional) The encryption type of the queue service. Possible values are Service and Account. Changing this forces a new resource to be created. Default value is Service.
  • table_encryption_key_type - (Optional) The encryption type of the table service. Possible values are Service and Account. Changing this forces a new resource to be created. Default value is Service.

NOTE:

For the queue_encryption_key_type and table_encryption_key_type, the Account key type is only allowed when the account_kind is set to StorageV2

  • infrastructure_encryption_enabled - (Optional) Is infrastructure encryption enabled? Changing this forces a new resource to be created. Defaults to false.

NOTE:

This can only be true when account_kind is StorageV2 or when account_tier is Premium and account_kind is one of BlockBlobStorage or FileStorage.

  • immutability_policy - (Optional) An immutability_policy block as defined below. Changing this forces a new resource to be created.
  • sas_policy - (Optional) A sas_policy block as defined below.
  • allowed_copy_scope - (Optional) Restrict copy to and from Storage Accounts within an AAD tenant or with Private Links to the same VNet. Possible values are AAD and PrivateLink.
  • sftp_enabled - (Optional) Boolean, enable SFTP for the storage account

NOTE:

SFTP support requires is_hns_enabled set to true. More information on SFTP support can be found here. Defaults to false

  • tags - (Optional) A mapping of tags to assign to the resource.

A blob_properties block supports the following:

  • cors_rule - (Optional) A cors_rule block as defined below.
  • delete_retention_policy - (Optional) A delete_retention_policy block as defined below.
  • restore_policy - (Optional) A restore_policy block as defined below. This must be used together with delete_retention_policy set, versioning_enabled and change_feed_enabled set to true.
  • versioning_enabled - (Optional) Is versioning enabled? Default to false.
  • change_feed_enabled - (Optional) Is the blob service properties for change feed events enabled? Default to false.
  • change_feed_retention_in_days - (Optional) The duration of change feed events retention in days. The possible values are between 1 and 146000 days (400 years). Setting this to null (or omit this in the configuration file) indicates an infinite retention of the change feed.
  • default_service_version - (Optional) The API Version which should be used by default for requests to the Data Plane API if an incoming request doesn't specify an API Version.
  • last_access_time_enabled - (Optional) Is the last access time based tracking enabled? Default to false.
  • container_delete_retention_policy - (Optional) A container_delete_retention_policy block as defined below.

A cors_rule block supports the following:

  • allowed_headers - (Required) A list of headers that are allowed to be a part of the cross-origin request.
  • allowed_methods - (Required) A list of HTTP methods that are allowed to be executed by the origin. Valid options are DELETE, GET, HEAD, MERGE, POST, OPTIONS, PUT or PATCH.
  • allowed_origins - (Required) A list of origin domains that will be allowed by CORS.
  • exposed_headers - (Required) A list of response headers that are exposed to CORS clients.
  • max_age_in_seconds - (Required) The number of seconds the client should cache a preflight response.

A custom_domain block supports the following:

  • name - (Required) The Custom Domain Name to use for the Storage Account, which will be validated by Azure.
  • use_subdomain - (Optional) Should the Custom Domain Name be validated by using indirect CNAME validation?

A customer_managed_key block supports the following:

  • key_vault_key_id - (Required) The ID of the Key Vault Key, supplying a version-less key ID will enable auto-rotation of this key.
  • user_assigned_identity_id - (Required) The ID of a user assigned identity.

NOTE:

customer_managed_key can only be set when the account_kind is set to StorageV2 or account_tier set to Premium, and the identity type is UserAssigned.

A delete_retention_policy block supports the following:

  • days - (Optional) Specifies the number of days that the blob should be retained, between 1 and 365 days. Defaults to 7.

A restore_policy block supports the following:

  • days - (Required) Specifies the number of days that the blob can be restored, between 1 and 365 days. This must be less than the days specified for delete_retention_policy.

A container_delete_retention_policy block supports the following:

  • days - (Optional) Specifies the number of days that the container should be retained, between 1 and 365 days. Defaults to 7.

A hour_metrics block supports the following:

  • enabled - (Required) Indicates whether hour metrics are enabled for the Queue service.
  • version - (Required) The version of storage analytics to configure.
  • include_apis - (Optional) Indicates whether metrics should generate summary statistics for called API operations.
  • retention_policy_days - (Optional) Specifies the number of days that logs will be retained.

An identity block supports the following:

  • type - (Required) Specifies the type of Managed Service Identity that should be configured on this Storage Account. Possible values are SystemAssigned, UserAssigned, SystemAssigned, UserAssigned (to enable both).
  • identity_ids - (Optional) Specifies a list of User Assigned Managed Identity IDs to be assigned to this Storage Account.

NOTE:

This is required when type is set to UserAssigned or SystemAssigned, UserAssigned.

Note

The assigned principal_id and tenant_id can be retrieved after the identity type has been set to SystemAssigned and Storage Account has been created. More details are available below.

An immutability_policy block supports the following:

NOTE

: This argument specifies the default account-level immutability policy which is inherited and applied to objects that do not possess an explicit immutability policy at the object level. The object-level immutability policy has higher precedence than the container-level immutability policy, which has a higher precedence than the account-level immutability policy.

  • allow_protected_append_writes - (Required) When enabled, new blocks can be written to an append blob while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted.
  • state - (Required) Defines the mode of the policy. Disabled state disables the policy, Unlocked state allows increase and decrease of immutability retention time and also allows toggling allowProtectedAppendWrites property, Locked state only allows the increase of the immutability retention time. A policy can only be created in a Disabled or Unlocked state and can be toggled between the two states. Only a policy in an Unlocked state can transition to a Locked state which cannot be reverted.
  • period_since_creation_in_days - (Required) The immutability period for the blobs in the container since the policy creation, in days.

A logging block supports the following:

  • delete - (Required) Indicates whether all delete requests should be logged.
  • read - (Required) Indicates whether all read requests should be logged.
  • version - (Required) The version of storage analytics to configure.
  • write - (Required) Indicates whether all write requests should be logged.
  • retention_policy_days - (Optional) Specifies the number of days that logs will be retained.

A minute_metrics block supports the following:

  • enabled - (Required) Indicates whether minute metrics are enabled for the Queue service.
  • version - (Required) The version of storage analytics to configure.
  • include_apis - (Optional) Indicates whether metrics should generate summary statistics for called API operations.
  • retention_policy_days - (Optional) Specifies the number of days that logs will be retained.

A network_rules block supports the following:

  • default_action - (Required) Specifies the default action of allow or deny when no other rules match. Valid options are Deny or Allow.
  • bypass - (Optional) Specifies whether traffic is bypassed for Logging/Metrics/AzureServices. Valid options are any combination of Logging, Metrics, AzureServices, or None.
  • ip_rules - (Optional) List of public IP or IP ranges in CIDR Format. Only IPv4 addresses are allowed. /31 CIDRs, /32 CIDRs, and Private IP address ranges (as defined in RFC 1918), are not allowed.
  • virtual_network_subnet_ids - (Optional) A list of resource ids for subnets.
  • private_link_access - (Optional) One or More private_link_access block as defined below.

Note:

If specifying network_rules, one of either ip_rules or virtual_network_subnet_ids must be specified and default_action must be set to Deny.

NOTE:

Network Rules can be defined either directly on the azurerm_storage_account resource, or using the azurerm_storage_account_network_rules resource - but the two cannot be used together. If both are used against the same Storage Account, spurious changes will occur. When managing Network Rules using this resource, to change from a default_action of Deny to Allow requires defining, rather than removing, the block.

Note:

The prefix of ip_rules must be between 0 and 30 and only supports public IP addresses.

Note:

More information on Validation is available here

A private_link_access block supports the following:

  • endpoint_resource_id - (Required) The resource id of the resource access rule to be granted access.
  • endpoint_tenant_id - (Optional) The tenant id of the resource of the resource access rule to be granted access. Defaults to the current tenant id.

A azure_files_authentication block supports the following:

  • directory_type - (Required) Specifies the directory service used. Possible values are AADDS, AD and AADKERB.
  • active_directory - (Optional) A active_directory block as defined below. Required when directory_type is AD.

Note:

If directory_type is set to AADKERB, active_directory is not supported. Use icals to configure directory and file level permissions.

A active_directory block supports the following:

  • storage_sid - (Required) Specifies the security identifier (SID) for Azure Storage.
  • domain_name - (Required) Specifies the primary domain that the AD DNS server is authoritative for.
  • domain_sid - (Required) Specifies the security identifier (SID).
  • domain_guid - (Required) Specifies the domain GUID.
  • forest_name - (Required) Specifies the Active Directory forest.
  • netbios_domain_name - (Required) Specifies the NetBIOS domain name.

A routing block supports the following:

  • publish_internet_endpoints - (Optional) Should internet routing storage endpoints be published? Defaults to false.
  • publish_microsoft_endpoints - (Optional) Should Microsoft routing storage endpoints be published? Defaults to false.
  • choice - (Optional) Specifies the kind of network routing opted by the user. Possible values are InternetRouting and MicrosoftRouting. Defaults to MicrosoftRouting.

A queue_properties block supports the following:

  • cors_rule - (Optional) A cors_rule block as defined above.
  • logging - (Optional) A logging block as defined below.
  • minute_metrics - (Optional) A minute_metrics block as defined below.
  • hour_metrics - (Optional) A hour_metrics block as defined below.

A sas_policy block supports the following:

  • expiration_period - (Required) The SAS expiration period in format of DD.HH:MM:SS.
  • expiration_action - (Optional) The SAS expiration action. The only possible value is Log at this moment. Defaults to Log.

A static_website block supports the following:

  • index_document - (Optional) The webpage that Azure Storage serves for requests to the root of a website or any subfolder. For example, index.html. The value is case-sensitive.
  • error_404_document - (Optional) The absolute path to a custom webpage that should be used when a request is made which does not correspond to an existing file.

A share_properties block supports the following:

  • cors_rule - (Optional) A cors_rule block as defined below.
  • retention_policy - (Optional) A retention_policy block as defined below.
  • smb - (Optional) A smb block as defined below.

A retention_policy block supports the following:

  • days - (Optional) Specifies the number of days that the azurerm_storage_share should be retained, between 1 and 365 days. Defaults to 7.

A smb block supports the following:

  • versions - (Optional) A set of SMB protocol versions. Possible values are SMB2.1, SMB3.0, and SMB3.1.1.
  • authentication_types - (Optional) A set of SMB authentication methods. Possible values are NTLMv2, and Kerberos.
  • kerberos_ticket_encryption_type - (Optional) A set of Kerberos ticket encryption. Possible values are RC4-HMAC, and AES-256.
  • channel_encryption_type - (Optional) A set of SMB channel encryption. Possible values are AES-128-CCM, AES-128-GCM, and AES-256-GCM.
  • multichannel_enabled - (Optional) Indicates whether multichannel is enabled. Defaults to false. This is only supported on Premium storage accounts.

Associating resources with a
Storage Account
Resources do not "belong" to a
Storage Account
Rather, one or more Security Groups are associated to a resource.
Create
Storage Account
via Terraform:
The following HCL manages an Azure storage account
Syntax:

resource "azurerm_resource_group" "example" {
 name     = "example-resources"
 location = "West Europe"
}

resource "azurerm_storage_account" "example" {
 name                     = "storageaccountname"
 resource_group_name      = azurerm_resource_group.example.name
 location                 = azurerm_resource_group.example.location
 account_tier             = "Standard"
 account_replication_type = "GRS"

 tags = {
   environment = "staging"
 }
}

Create
Storage Account
via CLI:
Parameters:

az storage account create --name
                         --resource-group
                         [--access-tier {Cool, Hot, Premium}]
                         [--account-type]
                         [--action]
                         [--allow-append {false, true}]
                         [--allow-blob-public-access {false, true}]
                         [--allow-cross-tenant-replication {false, true}]
                         [--allow-shared-key-access {false, true}]
                         [--assign-identity]
                         [--azure-storage-sid]
                         [--bypass {AzureServices, Logging, Metrics, None}]
                         [--custom-domain]
                         [--default-action {Allow, Deny}]
                         [--default-share-permission {None, StorageFileDataSmbShareContributor, StorageFileDataSmbShareElevatedContributor, StorageFileDataSmbShareReader}]
                         [--dns-endpoint-type {AzureDnsZone, Standard}]
                         [--domain-guid]
                         [--domain-name]
                         [--domain-sid]
                         [--edge-zone]
                         [--enable-alw {false, true}]
                         [--enable-files-aadds {false, true}]
                         [--enable-files-aadkerb {false, true}]
                         [--enable-files-adds {false, true}]
                         [--enable-hierarchical-namespace {false, true}]
                         [--enable-large-file-share]
                         [--enable-local-user {false, true}]
                         [--enable-nfs-v3 {false, true}]
                         [--enable-sftp {false, true}]
                         [--encryption-key-name]
                         [--encryption-key-source {Microsoft.Keyvault, Microsoft.Storage}]
                         [--encryption-key-type-for-queue {Account, Service}]
                         [--encryption-key-type-for-table {Account, Service}]
                         [--encryption-key-vault]
                         [--encryption-key-version]
                         [--encryption-services {blob, file, queue, table}]
                         [--forest-name]
                         [--https-only {false, true}]
                         [--identity-type {None, SystemAssigned, SystemAssigned,UserAssigned, UserAssigned}]
                         [--immutability-period]
                         [--immutability-state {Disabled, Locked, Unlocked}]
                         [--key-exp-days]
                         [--key-vault-federated-client-id]
                         [--key-vault-user-identity-id]
                         [--kind {BlobStorage, BlockBlobStorage, FileStorage, Storage, StorageV2}]
                         [--location]
                         [--min-tls-version {TLS1_0, TLS1_1, TLS1_2}]
                         [--net-bios-domain-name]
                         [--public-network-access {Disabled, Enabled}]
                         [--publish-internet-endpoints {false, true}]
                         [--publish-microsoft-endpoints {false, true}]
                         [--require-infrastructure-encryption {false, true}]
                         [--routing-choice {InternetRouting, MicrosoftRouting}]
                         [--sam-account-name]
                         [--sas-exp]
                         [--sku {Premium_LRS, Premium_ZRS, Standard_GRS, Standard_GZRS, Standard_LRS, Standard_RAGRS, Standard_RAGZRS, Standard_ZRS}]
                         [--subnet]
                         [--tags]
                         [--user-identity-id]
                         [--vnet-name]

Example:

az storage account create -n mystorageaccount -g MyResourceGroup -l westus --sku Standard_LRS

aws cost
Costs
Direct Cost
Indirect Cost
No items found.
Best Practices for
Storage Account

Categorized by Availability, Security & Compliance and Cost

Medium
AMI (Amazon Machine Images) not in use
AWS Cost Optimization
APRA
AWS Well-Architected Framework
MAS
Medium
AMI (Amazon Machine Images) not in use (12 months)
AWS Cost Optimization
APRA
AWS Well-Architected Framework
MAS
High
AWS Config configuration changes alarm
Security & Compliance
APRA
MAS
NIST4
AWS Well-Architected Framework
Low
Access allowed from VPN
Security & Compliance
No items found.
Low
Auto Scaling Group not in use
Other
No items found.
Low
CloudTrail changes alarm
Security & Compliance
CIS
CISAWSF
APRA
MAS
NIST4
Medium
Connections towards DynamoDB should be via VPC endpoints
Security & Compliance
No items found.
Medium
Connections towards S3 should be via VPC endpoint
Security & Compliance
CCPA
Medium
Container in CrashLoopBackOff state
Availability
No items found.
Low
Cross peering connectivity is allowed by EC2
Security & Compliance
CISAWSF
Low
Cross peering connectivity is allowed by ECS Task
Security & Compliance
CISAWSF
Low
Cross peering connectivity is allowed by Lambda
Security & Compliance
CISAWSF
Low
Cross peering connectivity is allowed by Pod
Security & Compliance
CISAWSF
Low
Cross transit connectivity is allowed by EC2
Security & Compliance
CISAWSF
Low
Cross transit connectivity is allowed by ECS
Security & Compliance
CISAWSF
Low
Cross transit connectivity is allowed by Lambda
Security & Compliance
CISAWSF
Low
Cross transit connectivity is allowed by Pod
Security & Compliance
CISAWSF
Medium
DynamoDB tables not in use
AWS Cost Optimization
AWS Well-Architected Framework
CIS 8
HITRUST
GDPR
Medium
EBS snapshots not in use
AWS Cost Optimization
AWS Well-Architected Framework
Medium
EBS volume not in use
AWS Cost Optimization
MAS
NIST4
AWS Well-Architected Framework
Low
EC2 large instance create alarm
Security & Compliance
PCI-DSS
APRA
MAS
NIST4
AWS Well-Architected Framework
Medium
EC2 should have a name set
Other
APRA
MAS
Critical
EC2 with Admin access (*:*)
Security & Compliance
CIS
GDPR
HITRUST
NIST 800-53
ISO 27701
Low
EC2 with GPU capabilities
AWS Cost Optimization
No items found.
Medium
EC2 with high privileged policies
Security & Compliance
No items found.
Medium
ECS cluster delete alarm
Availability
No items found.
Critical
ECS task with Admin access (*:*)
Security & Compliance
CIS
Medium
ECS task with high privileged policies
Security & Compliance
No items found.
Critical
EKS cluster delete alarm
Availability
No items found.
Medium
ELB not in use
AWS Cost Optimization
AWS Well-Architected Framework
Medium
ElastiCache cluster delete alarm
Availability
No items found.
Medium
Elastic IP not in use
AWS Cost Optimization
AWS Well-Architected Framework
CISAWSF
PCI-DSS
MAS
NIST4
Low
Ensure API Gateway has Content Encoding feature enabled
Other
MAS
NIST 800-53
NIST4
Medium
Ensure AWS Config is configured to include global resources
Security & Compliance
APRA
GDPR
MAS
NIST4
AWS Well-Architected Framework
Medium
Ensure AWS EKS cluster has secrets encryption enabled
Security & Compliance
CIS
CISAWSF
CIS EKS
HITRUST
NIST 800-53
Medium
Ensure Amazon MQ broker instances are using desired instance types
Security & Compliance
AWS Well-Architected Framework
Medium
Ensure Amazon MQ brokers Auto Minor Version Upgrade feature is enabled
Security & Compliance
APRA
CCPA
HITRUST
ISO 27001
MAS
Low
Ensure Amazon MQ brokers Log Exports feature is enabled
Security & Compliance
APRA
CSA CCM
GDPR
HITRUST
ISO 27001
Medium
Ensure Amazon MQ brokers are not publicly accessible
Security & Compliance
APRA
CCPA
CIS 8
GDPR
HIPAA
Critical
Ensure Amazon MQ brokers are not publicly accessible
Security & Compliance
APRA
CCPA
CIS 8
GDPR
HIPAA
Low
Ensure Amazon MQ brokers are using the active/standby deployment mode
Availability
CCPA
ISO 27001
NIST4
NIST 800-53
AWS Well-Architected Framework
Low
Ensure Amazon MQ brokers are using the latest engine version
Security & Compliance
APRA
HITRUST
MAS
PCI-DSS
Medium
Ensure Amazon SageMaker Notebook Instance is in VPC
Security & Compliance
APRA
AWS Well-Architected Framework
MAS
PCI-DSS
Medium
Ensure Application Load Balancer (ALB) has access logging enabled
Security & Compliance
No items found.
Medium
Ensure Application Load Balancers (ALB) are configured to drop HTTP headers
Security & Compliance
NIST 800-53
CSA CCM
AWS Foundational Security Best Practices Controls
Low
Ensure Auto-Tune feature is enabled in OpenSearch clusters
Other
No items found.
Medium
Ensure CloudFormation stacks Termination Protection feature is enabled
Security & Compliance
APRA
MAS
AWS Well-Architected Framework
Medium
Ensure CloudFormation stacks are sending event notifications to an SNS topic
Security & Compliance
APRA
MAS
NIST4
AWS Well-Architected Framework
Medium
Ensure CloudFront distribution enforce HTTPS protocol for data in-transit
Security & Compliance
AWS Well-Architected Framework
HIPAA
NIST4
PCI-DSS
CIS 8
Medium
Ensure CloudFront distributions use a security policy with minimum TLSv1.1 or TLSv1.2
Security & Compliance
PCI-DSS
HIPAA
Medium
Ensure CloudFront has WAF attached
Security & Compliance
NIST 800-53
AWS Foundational Security Best Practices Controls
Medium
Ensure CloudFront web distributions are configured to compress objects (files) automatically
AWS Cost Optimization
GDPR
NIST4
Medium
Ensure CloudFront web distributions enforce field-level encryption
Security & Compliance
APRA
AWS Well-Architected Framework
GDPR
HIPAA
NIST4
Medium
Ensure CloudTrail Log File Integrity Validation is enabled
Security & Compliance
CISAWSF
PCI-DSS
HIPAA
GDPR
APRA
High
Ensure CloudTrail buckets are configured to use MFA
Security & Compliance
APRA
MAS
NIST4
GDPR
HIPAA
Medium
Ensure CloudTrail logs are encrypted at rest
Security & Compliance
CISAWSF
SOC2
PCI-DSS
GDPR
HIPAA
High
Ensure CloudTrail trails have multi-region enabled
Security & Compliance
APRA
MAS
CISAWSF
PCI-DSS
HIPAA
High
Ensure CloudTrail trails record global service events
Security & Compliance
APRA
PCI-DSS
GDPR
NIST4
MAS
Medium
Ensure CloudWatch Logs service is configured to monitor CloudTrail trail logs
Security & Compliance
CISAWSF
PCI-DSS
GDPR
APRA
MAS
Medium
Ensure Container liveness probe is configured
Availability
No items found.
Low
Ensure Container readiness probe is configured
Availability
No items found.
Critical
Ensure DMS instances are not accessible via Internet (Network and API)
Security & Compliance
CIS
SOC2
PCI-DSS
FedRAMP
AWS Well-Architected Framework
High
Ensure Database Migration Service (DMS) are not publicly accessible
Security & Compliance
APRA
GDPR
HIPAA
NIST4
PCI-DSS
Medium
Ensure Database Migration Service (DMS) replication instances are using Multi-AZ deployment configurations
Availability
NIST4
Medium
Ensure Database Migration Service (DMS) replication instances have Auto Minor Version Upgrade feature enabled
Security & Compliance
APRA
MAS
NIST4
Low
Ensure DocumentDB clusters have Log Exports feature enabled
Security & Compliance
APRA
Medium
Ensure DocumentDB database clusters have a minimum backup retention period
Other
NIST4
AWS Well-Architected Framework
Critical
Ensure DocumentDB database instances are not accessible via Internet (Network and API)
Security & Compliance
CIS
SOC2
PCI-DSS
Critical
Ensure DocumentDB database instances have storage encryption enabled
Security & Compliance
GDPR
NIST4
NIST 800-53
HIPAA
MAS
High
Ensure DocumentDB volumes are of type gp3 (General Purpose SSD) instead of gp2
AWS Cost Optimization
AWS Well-Architected Framework
Low
Ensure DynamoDB Tables are encrypted with customer managed key
Security & Compliance
APRA
AWS Well-Architected Framework
GDPR
NIST4
HITRUST
Medium
Ensure DynamoDB tables have point in time recovery enabled
Availability
SOC2
GDPR
HITRUST
NIST 800-53
NIST4
Medium
Ensure EBS snapshots are encrypted
Security & Compliance
PCI-DSS
GDPR
HIPAA
NIST4
HITRUST
Critical
Ensure EBS snapshots are not publicly accessible
Security & Compliance
GDPR
NIST4
PCI-DSS
AWS Well-Architected Framework
HITRUST
Medium
Ensure EBS volumes are encrypted
Security & Compliance
APRA
MAS
NIST4
CIS
ISO 27001
Medium
Ensure EBS volumes are of type gp3 (General Purpose SSD) instead of gp2
AWS Cost Optimization
AWS Well-Architected Framework
Medium
Ensure EBS volumes are of type gp3 (General Purpose SSD) instead of io1
AWS Cost Optimization
AWS Well-Architected Framework
Critical
Ensure EC2 AMIs are not publicly accessible
Security & Compliance
GDPR
APRA
MAS
NIST4
CIS 8
Medium
Ensure EC2 instance uses an IAM profile
Security & Compliance
APRA
CISAWSF
MAS
NIST4
Medium
Ensure EC2 instances use Instance Metadata Service Version 2 (IMDSv2)
Security & Compliance
AWS Foundational Security Best Practices Controls
NIST 800-53
HITRUST
Medium
Ensure ECS task definition has memory limit
Availability
No items found.
High
Ensure EFS file systems are encrypted
APRA
MAS
NIST4
GDPR
HIPAA
High
Ensure EFS file systems are encrypted using KMS CMK customer-managed keys
APRA
MAS
NIST4
GDPR
AWS Well-Architected Framework
Low
Ensure EKS Private access is enabled
Security & Compliance
APRA
CIS
CISAWSF
CIS EKS
GDPR
Medium
Ensure EKS Public access is disabled
Security & Compliance
APRA
CIS
CISAWSF
CIS EKS
GDPR
Critical
Ensure EKS Public access is restricted to specific sources
Security & Compliance
ISO 27001
Low
Ensure EMR cluster archive log files to S3
Other
APRA
AWS Well-Architected Framework
GDPR
MAS
NIST4
Critical
Ensure EMR cluster master nodes are not publicly accessible
Security & Compliance
No items found.
Medium
Ensure EMR clusters are encrypted in-transit and at-rest
Security & Compliance
APRA
AWS Well-Architected Framework
GDPR
HIPAA
MAS
Critical
Ensure ElastiCache Redis clusters are encrypted at-rest
Security & Compliance
HIPAA
GDPR
NIST4
APRA
HITRUST
Critical
Ensure ElastiCache Redis clusters are encrypted in-transit
Security & Compliance
HIPAA
GDPR
HITRUST
NIST 800-53
APRA
Low
Ensure ElastiCache Redis clusters have automatic backup turned on
Availability
No items found.
Medium
Ensure Geo-Restriction is enabled within CloudFront distribution
Security & Compliance
GDPR
Medium
Ensure IAM Group has no inline policy
Security & Compliance
APRA
MAS
NIST4
FedRAMP
Medium
Ensure IAM Role has no inline policy
Security & Compliance
APRA
AWS Well-Architected Framework
MAS
NIST4
FedRAMP
Medium
Ensure IAM User has no inline policy
Security & Compliance
APRA
AWS Well-Architected Framework
CISAWSF
SOC2
MAS
Critical
Ensure IAM password policy expires passwords within 90 days or less
Security & Compliance
ISO 27001
CSA CCM
SOC2
PCI-DSS
APRA
Low
Ensure IAM password policy has expiration period
Security & Compliance
CIS 8
NIST 800-53
GDPR
HITRUST
CSA CCM
Medium
Ensure IAM password policy prevents password reuse
Security & Compliance
CIS
ISO 27001
SOC2
GDPR
PCI-DSS
Medium
Ensure IAM password policy require at least one lowercase letter
Security & Compliance
APRA
AWS Well-Architected Framework
CISAWSF
PCI-DSS
ISO 27001
We haven't write about
Storage Account
yet.
View all blog posts ->
More from
Microsoft Azure
PostgreSQL
AKS
Cosmos DB
Cache for Redis
Queue Storage
Files
Data Lake Storage
Blob Storage
Function App
Front Door
Firewall Policy Rule Collection Group
Firewall Policy
Firewall
CDN Profile
Bot
App-Service Plan
SQL Server
SQL Database
Domain Service
User
Group
Role Definition
Active Directory
Disk Storage
Image
Storage Account
Snapshot
Network Interface
Network Security Group
Resource Group
Route Table
Subnet
Virtual Network
Virtual Machine