AzPolicyAdvertizer

last sync: 2025-Apr-29 17:16:02 UTC

Storage accounts should prevent shared key access (excluding storage accounts created by Databricks)

Azure BuiltIn Policy definition

Source Azure Portal
Display name Storage accounts should prevent shared key access (excluding storage accounts created by Databricks)
Id fd9903f1-38c2-4d36-8e44-5c1c20c561e8
Version 1.0.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.0.0
Built-in Versioning [Preview]
Category Storage
Microsoft Learn
Description Audit requirement of Azure Active Directory (Azure AD) to authorize requests for your storage account. By default, requests can be authorized with either Azure Active Directory credentials, or by using the account access key for Shared Key authorization. Of these two types of authorization, Azure AD provides superior security and ease of use over Shared Key, and is recommended by Microsoft.
Cloud environments AzureCloud = true
AzureUSGovernment = unknown
AzureChinaCloud = unknown
Available in AzUSGov Unknown, no evidence if Policy definition is/not available in AzureUSGovernment
Assessment(s) Assessments count: 1
Assessment Id: b2edb1f9-2b69-49a2-8b34-9e3ad49fd0f7
DisplayName: Storage accounts should prevent shared key access
Description: Audit requirement of Azure Active Directory (Azure AD) to authorize requests for your storage account. By default, requests can be authorized with either Azure Active Directory credentials, or by using the account access key for Shared Key authorization. Of these two types of authorization, Azure AD provides superior security and ease of use over Shared Key, and is recommended by Microsoft.
Remediation description: To disable shared key access for your storage account: 1. Navigate to your storage account in Azure Portal. 2. Set Configuration -> Setting -> Allow shared key access to disabled. For more information, see the documentation https://docs.microsoft.com/azure/storage/common/shared-key-authorization-prevent?tabs=portal#remediate-authorization-via-shared-key.
Categories: Data
Severity: Medium
preview: True
Mode Indexed
Type BuiltIn
Preview False
Deprecated False
Effect Default
Audit
Allowed
Audit, Deny, Disabled
RBAC role(s) none
Rule aliases IF (1)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.Storage/storageAccounts/allowSharedKeyAccess Microsoft.Storage storageAccounts properties.allowSharedKeyAccess True True
Rule resource types IF (1)
Compliance Not a Compliance control
Initiatives usage none
History
Date/Time (UTC ymd) (i) Change type Change detail
2025-03-03 18:38:02 add fd9903f1-38c2-4d36-8e44-5c1c20c561e8
JSON compare n/a
JSON
api-version=2021-06-01
EPAC