lacework-global-534
3.10 Ensure Private Endpoints are used to access Storage Accounts (Automated)
note
This rule has been changed to automated, see Automated Rules for CIS Azure 1.5.0 for details.
Profile Applicability
• Level 1
Description
Use private endpoints for your Azure Storage accounts to allow clients and services to securely access data located over a network via an encrypted Private Link. To do this, the private endpoint uses an IP address from the VNet for each service. Network traffic between disparate services securely traverses encrypted over the VNet. This VNet can also link addressing space, extending your network and accessing resources on it. Similarly, it can be a tunnel through public networks to connect remote infrastructures together. This creates further security through segmenting network traffic and preventing outside sources from accessing it.
Rationale
Securing traffic between services through encryption protects the data from easy interception and reading.
Impact
There is no cost in deploying VNets between Azure resources. If improperly implemented, it may result in loss of critical network traffic.
Audit
From Azure Portal
- Open the
Storage Accountsblade. - For each list Storage Account, perform the following check:
- Under the
Security + networkingheading, click onNetworking. - Click on the
Private Endpoint Connectionstab at the top of the networking window. - Ensure that for each VNet that the Storage Account must be accessed from, a unique Private Endpoint is deployed and the Connection State for each Private Endpoint is
Approved
Repeat the procedure for each Storage Account.
Remediation
From Azure Portal
- Open the
Storage Accountsblade - For each list Storage Account, perform the following:
- Under the
Security + networkingheading, click onNetworking - Click on the
Private Endpoint Connectionstab at the top of the networking window - Click the
+Private endpointbutton - In the
1 - Basicstab/step:Enter a namethat will be easily recognizable as associated with the Storage Account (Note: The "Network Interface Name" will be automatically completed, but you can customize it if needed.)- Ensure that the
Regionmatches the region of the Storage Account - Click
Next
- In the
2 - Resourcetab/step:- Select the
target sub-resourcebased on what type of storage resource is being made available - Click
Next
- Select the
- In the
3 - Virtual Networktab/step:- Select the
Virtual networkthat your Storage Account will be connecting to - Select the
Subnetthat your Storage Account will be connecting to - (Optional) Select other network settings as appropriate for your environment
- Click
Next
- Select the
- In the
4 - DNStab/step:- (Optional) Select other DNS settings as appropriate for your environment
- Click
Next
- In the
5 - Tagstab/step:- (Optional) Set any tags that are relevant to your organization
- Click
Next
- In the
6 - Review + createtab/step:- A validation attempt will be made and after a few moments it should indicate
Validation Passed- if it does not pass, double-check your settings before beginning more in depth troubleshooting. - If validation has passed, click
Createthen wait for a few minutes for the scripted deployment to complete.
- A validation attempt will be made and after a few moments it should indicate
Repeat the above procedure for each Private Endpoint required within every Storage Account.
References
https://docs.microsoft.com/en-us/azure/storage/common/storage-private-endpoints
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview
https://docs.microsoft.com/en-us/azure/private-link/create-private-endpoint-portal
https://docs.microsoft.com/en-us/azure/private-link/create-private-endpoint-cli?tabs=dynamic-ip
https://docs.microsoft.com/en-us/azure/private-link/create-private-endpoint-powershell?tabs=dynamic-ip
https://docs.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-storage-portal
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-2-secure-cloud-services-with-network-controls
Additional Information
A NAT gateway is the recommended solution for outbound internet access.