If you saw the post last week about the Azure Blueprints and some others, you will know I’ve been focused a lot on modern Azure administration and security. One of the cornerstone pieces of content that Microsoft produces to aid security efforts in Azure is the Azure Security Best Practices PDF. It is linked in this Docs file that will provide a virtual springboard to many security resources.
In many of the resources, a consistent theme is to consider Azure Security Center. I have decided to enable this for my storage accounts and will share here with you the steps to enable it and the result afterwards. My expectation is that it will be more comprehensive than the free Azure Advisor (which is good!), let’s start at the Security Center page in the Azure console:
Before I have upgraded my account to enable Azure Security Center, note the bottom right where expected costs are shown and most accounts should be able to have a trial for free. I am going to focus on my storage accounts, this account doesn’t have any virtual machines or other services. After I enable it, it asks to push an agent out to virtual machines (but this does not apply to this Azure account). When I return to the Overview page, Azure Security Center has immediately updated its display to provide some information about my storage accounts:
Right away, there are some red resource hygiene items that are displayed. Additionally, I am shown where these services would sit in regards to PCI DSS, Azure CIS or ISO 27001 standards. This would be very helpful if these Azure services were in scope of an audit.
I immediately investigate the red entries and they are identity problems because there is only one owner to the subscription. And that also applies to another recommendation of having multiple owners enabled with Multi-Factor Authentication. So right away, there is usable information; but it does not apply to this specific account.
I’m rather focused on my storage accounts as I have some sensitive information across all of them (special Azure files, backup data in blobs and more).
Unfortunately, I do not have any recommendations for the storage accounts in this Azure subscription. That’s good in that Azure Advisor has guided me through a number of options, but related to my storage account there is one important observation made. There is a low-priority recommendation to enable Azure Key Vault diagnostic logs. This is important as I have used my own encryption keys for all storage accounts. If the logs are enabled, the next question is where are they. They are stored in the storage account in a container called “insights-logs-auditevent”. The Azure docs link above explains how to access these logs (I will cover in a subsequent post – this is important). Here is the recommendation for diagnostics for the Azure Key Vault:
This is one of the recommendation types that we can correct with the “One-Click Fix” where it will just correct it here instead of going to that resource configuration area. The fix takes you here to enable the diagnostics logging:
On the final step, I select how long the diagnostics are to be kept and to which log analytics workspace:
At this point, I have made some changes and have some additional visibility into the security of the Azure storage accounts I am using in this subscription. I want to add a few more elements to the subscription and see what Security Center advises as the subscription grows. Do you use Security Center? If so, for storage accounts? Share your usage and observations below.