Skip to main content

lacework-global-534

3.10 Use Private Endpoints to access Storage Accounts (Automated)

note

This rule has been changed to automated, see Automated Policies for CIS Azure 1.5.0 for details.

Profile Applicability

• Level 1

Description

Use private endpoints for your Azure Storage accounts to allow clients and services to securely access data located over a network via an encrypted Private Link. To do this, the private endpoint uses an IP address from the VNet for each service. Network traffic between disparate services securely traverses encrypted over the VNet. This VNet can also link addressing space, extending your network and accessing resources on it. Similarly, it can be a tunnel through public networks to connect remote infrastructures together. This creates further security through segmenting network traffic and preventing outside sources from accessing it.

Rationale

Securing traffic between services through encryption protects the data from easy interception and reading.

Impact

There is no cost in deploying VNets between Azure resources. If improperly implemented, it may result in loss of critical network traffic.

Audit

From Azure Portal

  1. Open the Storage Accounts blade.
  2. For each list Storage Account, perform the following check:
  3. Under the Security + networking heading, click on Networking.
  4. Click on the Private Endpoint Connections tab at the top of the networking window.
  5. Ensure that for each VNet that the Storage Account must be accessed from, a unique Private Endpoint is deployed and the Connection State for each Private Endpoint is Approved

Repeat the procedure for each Storage Account.

Remediation

From Azure Portal

  1. Open the Storage Accounts blade.
  2. For each listed Storage Account, perform the following:
  3. Under the Security + networking heading, click Networking.
  4. Click the Private Endpoint Connections tab at the top of the networking window.
  5. Click the + Private endpoint button.
  6. In the 1 - Basics tab:
    • Enter a recognizable name to associate with the Storage Account (Note: The "Network Interface Name" is automatically completed, but you can customize it if needed).
    • Ensure that the Region matches the region of the Storage Account.
    • Click Next.
  7. In the 2 - Resource tab:
    • Select the target sub-resource based on the type of storage resource.
    • Click Next.
  8. In the 3 - Virtual Network tab:
    • Select the Virtual network for your Storage Account.
    • Select the Subnet for your Storage Account.
    • (Optional) Select other network settings as appropriate for your environment.
    • Click Next.
  9. In the 4 - Domain Name System (DNS) tab:
    • (Optional) Select other DNS settings as appropriate for your environment.
    • Click Next.
  10. In the 5 - Tags tab:
    • (Optional) Set any tags that are relevant to your organization.
    • Click Next.
  11. In the 6 - Review + create tab:
    • A validation attempt occurs and after a few moments it should indicate Validation Passed.
    • If it does not pass, review your settings before beginning more in depth troubleshooting.
    • If validation has passed, click Create then wait for a few minutes for the scripted deployment to complete.

Repeat the preceding procedure for each Private Endpoint required within every Storage Account.

References

https://docs.microsoft.com/en-us/azure/storage/common/storage-private-endpoints
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview
https://docs.microsoft.com/en-us/azure/private-link/create-private-endpoint-portal
https://docs.microsoft.com/en-us/azure/private-link/create-private-endpoint-cli?tabs=dynamic-ip
https://docs.microsoft.com/en-us/azure/private-link/create-private-endpoint-powershell?tabs=dynamic-ip
https://docs.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-storage-portal
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-2-secure-cloud-services-with-network-controls

Additional Information

A Network Address Translation (NAT) gateway is the recommended solution for outbound internet access.