Ensure that private endpoints are configured for Microsoft Azure Storage accounts in order to allow clients and services to securely access data located over a network via an encrypted Private Link connection.
This rule can help you with the following compliance standards:
- CISAZUREF
For further details on compliance standards supported by Conformity, see here.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
Securing traffic between services through encryption protects your data from interception methods such as eavesdropping and Man-in-the-Middle (MITM) attacks. To protect against these types of attacks, ensure that your Azure Storage accounts are configured to use private endpoints. A private endpoint in Azure cloud is a secure network interface that enables private access to Azure cloud services such as Azure Storage, Azure SQL Database, or Azure App Service from within a Virtual Network (VNet), using private IP addresses. It allows you to connect to Azure services without exposing them to the Internet, enhancing security and network isolation.
Audit
To determine if private endpoints are used to access your Microsoft Azure Storage accounts, perform the following actions:
Remediation / Resolution
In Azure cloud, you can use private endpoints to privately connect to a service or resource. To create and configure private endpoints for your Microsoft Azure Storage accounts, perform the following actions:
References
- Azure Official Documentation
- Security Control v3: Network security
- Use private endpoints for Azure Storage
- Quickstart: Create a private endpoint by using the Azure portal
- Quickstart: Create a private endpoint by using the Azure CLI
- Tutorial: Connect to a storage account using an Azure Private Endpoint
- Azure Command Line Interface (CLI) Documentation
- az storage account list
- az storage account show
- az network private-endpoint create