Create an Azure storage accounts baseline

An Azure storage account provides a unique namespace to store and access your Azure Storage data objects. Storage Accounts also need to secured.

Require security-enhanced transfers

Another step you should take to ensure the security of your Azure Storage data is to encrypt the data between the client and Azure Storage. The first recommendation is to always use the HTTPS protocol, which ensures secure communication over the public Internet. You can enforce the use of HTTPS when calling the REST APIs to access objects in storage accounts by enabling Secure transfer required for the storage account. Connections using HTTP will be refused once this is enabled.

1. Go to Storage Accounts under All services.
2. Select the storage account.
3. Under Settings, select Configuration.
4. Ensure Secure Transfer required is set to Enabled.

Enable binary large object (blob) encryption

Azure Blob storage is Microsoft's object storage solution for the cloud. Blob storage is optimized for storing massive amounts of unstructured data. Unstructured data is data that does not adhere to a particular data model or definition, such as text or binary data. Storage service encryption protects your data at rest. Azure Storage encrypts your data as it's written in its datacenters, and automatically decrypts it for you as you access it.

1. Go to Storage Accounts under Azure services.
2. Select the storage account.
3. Under Settings, select Encryption.
4. Azure Storage encryption is enabled for all new and existing storage accounts and cannot be disabled.

Periodically regenerate access keys

When you create a storage account, Azure generates two 512-bit storage access keys, which are used for authentication when the storage account is accessed. Rotating these keys periodically ensures that any inadvertent access or exposure to these keys could be undermined.

1. Go to Storage Accounts under Azure services.
2. Select the storage account.
3. For the storage account, go to Activity log.
4. Under Timespan drop-down, select Custom and choose Start Time and End Time so it creates a 90 day range.
5. Click Apply. 

Require Shared Access Signature (SAS) tokens to expire within an hour

A shared access signature (SAS) is a URI that grants restricted access rights to Azure Storage resources. You can provide a shared access signature to clients who should not be trusted with your storage account key but to whom you wish to delegate access to certain storage account resources. By distributing a shared access signature URI to these clients, you can grant them access to a resource for a specified period of time, with a specified set of permissions.

Currently verification of a SAS token expiry times cannot be accomplished. Until Microsoft makes token expiry time as a setting rather than a token creation parameter, this recommendation would require a manual verification.

1. Go to Storage Accounts.
2. Select the existing account.
3. For the storage account, go to Shared Access signature.
4. Set the Start and expiry date/time.
5. Set Allowed protocols to HTTPS only. Both SAS features are shown below. 

Require only private access to blob containers

You can enable anonymous, public read access to a container and its blobs in Azure Blob storage. By doing so, you can grant read-only access to these resources without sharing your account key, and without requiring a shared access signature (SAS). By default, a container and any blobs within it may be accessed only by a user that has been given appropriate permissions. To grant anonymous users read access to a container and its blobs, you can set the container public access level. When you grant public access to a container, then anonymous users can read blobs within a publicly accessible container without authorizing the request.

1. Go to Storage Accounts.
2. For the storage account, select Containers under Blob Service.
3. Click + Container.
4. Give the container the name az500 and click OK.
5. Ensure that Public access level to Private.