Ensure Private Endpoints are used to access Storage Accounts

Use private endpoints for your Azure Storage accounts to allow clients and services to securely access data located over a network via an encrypted Private Link.

Suggest Edits

Risk Level: Medium
Cloud Entity: Azure Storage Account
CloudGuard Rule ID: D9.AZU.NET.68
Covered by Spectral: No
Category: Storage

GSL LOGIC

StorageAccount should have privateEndpointConnections contain [ privateLinkServiceConnectionState.status='Approved' ]

REMEDIATION

From Portal

  1. Go to 'Storage Accounts'.
  2. For each listed Storage Account, perform the following check:.
  3. Under the Security + networking heading, click on Networking.
  4. Click on the Private Endpoint Connections tab at the top of the networking window.
  5. Ensure that for each VNet that the Storage Account must be accessed from, a unique Private Endpoint is deployed and the Connection State for each Private Endpoint is Approved.

From TF
Use below code to create Private Endpoint for Storage Account:

resource "azurerm_private_endpoint" "example" {
	name                = "example-endpoint"
	location            = Location
	resource_group_name = Resource Group
	subnet_id           = Subnet ID
	
	private_service_connection {
		name                           = "example-privateserviceconnection"
		private_connection_resource_id = Private Connection ID
		is_manual_connection           = false
	}

From Command Line
Use the below command to create the private endpoint for Storage Account

az network private-endpoint create --resource-group RESOURCEGROUP --location LOCATION --name PRIVATE-ENDPOINT --vnet-name VNET --subnet SUBNET --private-connection-resource-id STORAGE-ACCOUNTID --connection-name PRIVATE-LINK-CONNECTION --group-id blob|blob_secondary|file|file_secondary|table|table_secondary|queue|queue_secondary|web|web_secondary|dfs|dfs_secondary

References

  1. https://learn.microsoft.com/en-us/azure/storage/common/storage-private-endpoints
  2. https://registry.terraform.io/providers/hashicorp/azurerm/3.40.0/docs/resources/private_endpoint.html
  3. https://learn.microsoft.com/en-us/cli/azure/network/private-endpoint?view=azure-cli-latest#az-network-private-endpoint-create

Azure Storage Account

An Azure storage account provides a unique namespace to store and access your Azure Storage data objects. All objects in a storage account are billed together as a group. By default, the data in your account is available only to you, the account owner.

Compliance Frameworks

  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CloudGuard Best Practices
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset

Updated 7 months ago