-
Notifications
You must be signed in to change notification settings - Fork 6
Governance Policies Azure Storage Storage Account
Governance policies for Storage Account
Domain: azure-storage
| Name | Description |
|---|---|
| Storage account with security baseline | Complete storage deployment with RBAC, private endpoint, blob versioning, diagnostics, and role assignment |
| Description | Instead |
|---|---|
| Do not use shared key or account key for application access | Use managed identity with Storage Blob Data Contributor role |
| Do not enable public blob access for internal data | Disable public access and use private endpoints with managed identity |
| Do not use SAS tokens for long-lived access | Use managed identity RBAC for application access; use user delegation SAS only for short-lived anonymous access |
- Storage security recommendations
- Storage account overview
- Storage private endpoints
- WAF: Azure Blob Storage service guide
- Blob data protection overview
- Immutable storage for blobs
| Check | Severity | Description |
|---|---|---|
| AZ-ST-001 | Required | Create Storage Account with shared key disabled, public blob access disabled, TLS 1.2, HTTPS-only, and public network access disabled |
| AZ-ST-002 | Recommended | Enable blob versioning and soft delete for data protection |
| AZ-ST-003 | Recommended | Enable diagnostic settings to Log Analytics workspace |
| AZ-ST-004 | Recommended | Configure lifecycle management policies for cost optimization |
| AZ-ST-005 | Recommended | Configure zone-redundant or geo-zone-redundant storage replication |
| AZ-ST-006 | Recommended | Enable point-in-time restore for block blob data protection |
| AZ-ST-007 | Recommended | Apply an Azure Resource Manager lock on the storage account |
| AZ-ST-008 | Recommended | Enable immutability policies for compliance-critical blob data |
Create Storage Account with shared key disabled, public blob access disabled, TLS 1.2, HTTPS-only, and public network access disabled
Severity: Required
Rationale: Shared keys grant full account access and cannot be scoped; public blob access risks data exposure; TLS 1.2 is the minimum secure transport
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Storage/storageAccounts
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Network/privateEndpoints | pe-storage-blob | Private endpoint for blob storage — required when publicNetworkAccess is Disabled |
| Microsoft.Network/privateDnsZones | privatelink.blob.core.windows.net | Private DNS zone for blob storage private endpoint resolution |
| Microsoft.Authorization/roleAssignments | Storage Blob Data Contributor | Storage Blob Data Contributor role (ba92f5b4-2d11-453d-a403-e96b0029c9fe) for application identity |
Enable blob versioning and soft delete for data protection
Severity: Recommended
Rationale: Allows recovery from accidental deletion or overwrites
Agents: cloud-architect, terraform-agent, bicep-agent
- Microsoft.Storage/storageAccounts
Enable diagnostic settings to Log Analytics workspace
Severity: Recommended
Rationale: Audit trail for storage access and performance monitoring
Agents: terraform-agent, bicep-agent, cloud-architect, monitoring-agent
- Microsoft.Storage/storageAccounts
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Insights/diagnosticSettings | diag-storage | Diagnostic settings for blob storage to Log Analytics |
Configure lifecycle management policies for cost optimization
Severity: Recommended
Rationale: Automatically tier or delete blobs based on age and access patterns
Agents: cloud-architect, terraform-agent, bicep-agent, cost-analyst
- Microsoft.Storage/storageAccounts
Configure zone-redundant or geo-zone-redundant storage replication
Severity: Recommended
Rationale: WAF Reliability: ZRS replicates across availability zones; GZRS adds cross-region protection for maximum durability and availability during outages
Agents: cloud-architect, terraform-agent, bicep-agent
- Microsoft.Storage/storageAccounts
Enable point-in-time restore for block blob data protection
Severity: Recommended
Rationale: WAF Reliability: Point-in-time restore protects against accidental blob deletion or corruption, allowing restoration of block blob data to an earlier state
Agents: cloud-architect, terraform-agent, bicep-agent
- Microsoft.Storage/storageAccounts
Apply an Azure Resource Manager lock on the storage account
Severity: Recommended
Rationale: WAF Security: Locking the account prevents accidental deletion and resulting data loss
Agents: cloud-architect, terraform-agent, bicep-agent
- Microsoft.Storage/storageAccounts
Enable immutability policies for compliance-critical blob data
Severity: Recommended
Rationale: WAF Security: Immutability policies protect blobs stored for legal, compliance, or other business purposes from being modified or deleted
Agents: cloud-architect, terraform-agent, bicep-agent, security-reviewer
- Microsoft.Storage/storageAccounts
Getting Started
Stages
Interfaces
Configuration
Agent System
Features
- Backlog Generation
- Cost Analysis
- Error Analysis
- Docs & Spec Kit
- MCP Integration
- Knowledge System
- Escalation
Quality
Help
Policies — Azure
AI Services
Compute
Data Services
- Azure SQL
- Backup Vault
- Cosmos Db
- Data Factory
- Databricks
- Event Grid
- Event Hubs
- Fabric
- IoT Hub
- Mysql Flexible
- Postgresql Flexible
- Recovery Services
- Redis Cache
- Service Bus
- Stream Analytics
- Synapse Workspace
Identity
Management
Messaging
Monitoring
Networking
- Application Gateway
- Bastion
- CDN
- DDoS Protection
- DNS Zones
- Expressroute
- Firewall
- Load Balancer
- Nat Gateway
- Network Interface
- Private Endpoints
- Public Ip
- Route Tables
- Traffic Manager
- Virtual Network
- Vpn Gateway
- WAF Policy
Security
Storage
Web & App
Policies — Well-Architected
Reliability
Security
Cost Optimization
Operational Excellence
Performance Efficiency
Integration