Ensure Private Endpoints are used to access Storage Accounts
Use private endpoints for your Azure Storage accounts to allow clients and services to securely access data located over a network via an encrypted Private Link.
Risk Level: Medium
Cloud Entity: Azure Storage Account
CloudGuard Rule ID: D9.AZU.NET.68
Covered by Spectral: No
Category: Storage
GSL LOGIC
StorageAccount should have privateEndpointConnections contain [ privateLinkServiceConnectionState.status='Approved' ]
REMEDIATION
From Portal
- Go to 'Storage Accounts'.
- For each listed Storage Account, perform the following check:.
- Under the Security + networking heading, click on Networking.
- Click on the Private Endpoint Connections tab at the top of the networking window.
- Ensure that for each VNet that the Storage Account must be accessed from, a unique Private Endpoint is deployed and the Connection State for each Private Endpoint is Approved.
From TF
Use below code to create Private Endpoint for Storage Account:
resource "azurerm_private_endpoint" "example" {
name = "example-endpoint"
location = Location
resource_group_name = Resource Group
subnet_id = Subnet ID
private_service_connection {
name = "example-privateserviceconnection"
private_connection_resource_id = Private Connection ID
is_manual_connection = false
}
From Command Line
Use the below command to create the private endpoint for Storage Account
az network private-endpoint create --resource-group RESOURCEGROUP --location LOCATION --name PRIVATE-ENDPOINT --vnet-name VNET --subnet SUBNET --private-connection-resource-id STORAGE-ACCOUNTID --connection-name PRIVATE-LINK-CONNECTION --group-id blob|blob_secondary|file|file_secondary|table|table_secondary|queue|queue_secondary|web|web_secondary|dfs|dfs_secondary
References
- https://learn.microsoft.com/en-us/azure/storage/common/storage-private-endpoints
- https://registry.terraform.io/providers/hashicorp/azurerm/3.40.0/docs/resources/private_endpoint.html
- https://learn.microsoft.com/en-us/cli/azure/network/private-endpoint?view=azure-cli-latest#az-network-private-endpoint-create
Azure Storage Account
An Azure storage account provides a unique namespace to store and access your Azure Storage data objects. All objects in a storage account are billed together as a group. By default, the data in your account is available only to you, the account owner.
Compliance Frameworks
- Azure CIS Foundations v. 1.5.0
- Azure CIS Foundations v.2.0
- Azure CloudGuard Best Practices
- Azure NIST 800-53 Rev 5
- CloudGuard Azure All Rules Ruleset
Updated over 1 year ago