Ensure Private Endpoints are used to access Storage Accounts

Overview

Use private endpoints for your Azure Storage accounts to allow clients and services to securely access data located over a network via an encrypted Private Link. The private endpoint uses an IP address from the VNet for each service to do this. Network traffic between disparate services securely traverses and is encrypted over the VNet. This VNet can also link addressing space, extend your network, and access resources. Similarly, it can be a tunnel through public networks to connect remote infrastructures. This creates further security by segmenting network traffic and preventing outside sources from accessing it.

Rationale

Securing traffic between services through encryption protects the data from easy interception and reading.

Impact

A Private Endpoint costs approximately US$7.30 per month. If an Azure Virtual Network is not implemented correctly, critical network traffic may be lost.

Default Value

By default, Private Endpoints are not created for Storage Accounts.

Remediation guidance

From Azure Console

Open the Storage Accounts blade.
For each list Storage Account, perform the following:
Under the Security + networking heading, click Networking.
Click on the Private Endpoint Connections tab at the top of the networking window.
Click the +Private endpoint button.
In the 1 - Basics tab/step:
- Enter a name that will be easily recognizable as associated with the Storage Account (Note: The "Network Interface Name" will be automatically completed, but you can customize it if needed.)
- Ensure that the Region matches the region of the Storage Account.
- Click Next.
In the 2 - Resource tab/step:
- Select the target sub-resource based on what type of storage resource is being made available.
- Click Next.
In the 3 - Virtual Network tab/step:
- Select the Virtual network to which your Storage Account will be connected.
- Select the Subnet to which your Storage Account will be connected.
- (Optional) Select other network settings that are appropriate for your environment.
- Click Next.
In the 4 - DNS tab/step:
- (Optional) Select other DNS settings as appropriate for your environment
- Click Next.
In the 5 - Tags tab/step:
- (Optional) Set any tags that are relevant to your organization.
- Click Next.
In the 6 - Review + create tab/step: A validation attempt will be made, and after a few moments, it should indicate Validation Passed. If it does not pass, double-check your settings before beginning more in-depth troubleshooting.
- If validation has passed, click Create, then wait for a few minutes for the scripted deployment to complete.

Repeat the above procedure for each Private Endpoint required within every Storage Account.

From PowerShell

$storageAccount = Get-AzStorageAccount -ResourceGroupName '
' -Name '<storageaccountname>'

$privateEndpointConnection = @{
   Name = 'connectionName'
   PrivateLinkServiceId = $storageAccount.Id
   GroupID = "blob|blob_secondary|file|file_secondary|table|table_secondary|queue|queue_se condary|web|web_secondary|dfs|dfs_secondary"
}

$privateLinkServiceConnection = New-AzPrivateLinkServiceConnection @privateEndpointConnection

$virtualNetDetails = Get-AzVirtualNetwork -ResourceGroupName '
' -Name '<name>'

$privateEndpoint = @{
   ResourceGroupName = ''
   Name = ''
   Location = '<location>'
   Subnet = $virtualNetDetails.Subnets[0]
   PrivateLinkServiceConnection = $privateLinkServiceConnection
}
New-AzPrivateEndpoint @privateEndpoint

From Azure CLI

az network private-endpoint create --resource-group <resource_group_name> --location <location> --name <private_endpoint_name> --vnet-name  --subnet <subnet_name> --private-connection-resource-id <storage_account_id> --connection-name <connection_name> --group-id <blob|blob_secondary|file|file_secondary|table|table_secondary|queue|queue_secondary|web|web_secondary|dfs|dfs_secondary>

Service-wide remediation

Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.

Azure

Use management group or subscription Azure Policy assignments, remediation tasks where supported, landing-zone standards, and IaC modules so drift is prevented at scale.

Operational rollout

Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
Re-scan and track approved exceptions with an owner and expiry date.

Query logic

These are the stored checks tied to this control.

Azure Storage Accounts Without Private Endpoints

Connectors

Microsoft Azure

Covered asset types

StorageAccount

Expected check: eq []

{
  storageAccounts(
    where: {
      privateEndpoints_NONE: {
        type: "Microsoft.Storage/storageAccounts/privateEndpointConnections"
      }
    }
  ) {
    ...AssetFragment
  }
}