last sync: 2021-Aug-04 14:59:26 UTC

Azure Policy definition

Storage accounts should prevent shared key access

Name Storage accounts should prevent shared key access
Azure Portal
Id 8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54
Version 1.0.0
details on versioning
Category Storage
Microsoft docs
Description Audit requirement of Azure Active Directory (Azure AD) to authorize requests for your storage account. By default, requests can be authorized with either Azure Active Directory credentials, or by using the account access key for Shared Key authorization. Of these two types of authorization, Azure AD provides superior security and ease of use over Shared Key, and is recommended by Microsoft.
Mode Indexed
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default: Audit
Allowed: (Audit, Deny, Disabled)
Used RBAC Role none
History
Date/Time (UTC ymd) (i) Change type Change detail
2021-06-22 14:29:30 add 8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54
Used in Initiatives none
JSON
{
  "properties": {
    "displayName": "Storage accounts should prevent shared key access",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Audit requirement of Azure Active Directory (Azure AD) to authorize requests for your storage account. By default, requests can be authorized with either Azure Active Directory credentials, or by using the account access key for Shared Key authorization. Of these two types of authorization, Azure AD provides superior security and ease of use over Shared Key, and is recommended by Microsoft.",
    "metadata": {
      "version": "1.0.0",
      "category": "Storage"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "The effect determines what happens when the policy rule is evaluated to match"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Storage/storageAccounts"
          },
          {
            "field": "Microsoft.Storage/storageAccounts/allowSharedKeyAccess",
            "equals": "true"
          }
        ]
      },
      "then": {
      "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54"
}