-
Notifications
You must be signed in to change notification settings - Fork 327
/
Copy pathazure_storage_checklist.zh-Hant.json
566 lines (566 loc) · 27.6 KB
/
azure_storage_checklist.zh-Hant.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
{
"categories": [
{
"name": "身份和訪問管理"
},
{
"name": "網路拓撲和連接"
},
{
"name": "BC 和DR"
},
{
"name": "治理與安全"
},
{
"name": "成本治理"
},
{
"name": "運營管理"
},
{
"name": "應用程式部署"
},
{
"name": "安全"
}
],
"items": [
{
"category": "安全",
"description": "應用與存儲相關的 Microsoft 雲安全基準中的指導",
"guid": "d237de14-3b16-4c21-b7aa-9b64604489a8",
"id": "A01.01",
"link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline",
"service": "Azure Storage",
"severity": "中等",
"subcategory": "概述",
"text": "請考慮「存儲的 Azure 安全基線”",
"waf": "安全"
},
{
"category": "安全",
"description": "默認情況下,Azure 儲存具有公共IP位址,並且可通過Internet訪問。專用終結點允許僅向需要訪問的 Azure 計算資源安全地公開 Azure 存儲,從而消除對公共 Internet 的暴露",
"guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b",
"id": "A02.01",
"link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints",
"service": "Azure Storage",
"severity": "高",
"subcategory": "聯網",
"text": "考慮將專用終結點用於 Azure 存儲",
"waf": "安全"
},
{
"category": "安全",
"description": "新創建的存儲帳戶是使用ARM部署模型創建的,因此 RBAC、審核等都已啟用。確保訂閱中沒有具有經典部署模型的舊存儲帳戶",
"guid": "30e37c3e-2971-41b2-963c-eee079b598de",
"id": "A03.01",
"link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts",
"service": "Azure Storage",
"severity": "中等",
"subcategory": "統轄",
"text": "確保較舊的存儲帳戶未使用“經典部署模型”",
"waf": "安全"
},
{
"category": "安全",
"description": "利用 Microsoft Defender 瞭解可疑活動和錯誤配置。",
"guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d",
"id": "A03.02",
"link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure",
"service": "Azure Storage",
"severity": "高",
"subcategory": "統轄",
"text": "為所有存儲帳戶啟用 Microsoft Defender",
"waf": "安全"
},
{
"category": "安全",
"description": "軟刪除機制允許恢復意外刪除的 blob。",
"guid": "503547c1-447e-4c66-828a-7100f1ce16dd",
"id": "A04.01",
"link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview",
"service": "Azure Storage",
"severity": "中等",
"subcategory": "數據可用性",
"text": "為 blob 啟用“軟刪除”",
"waf": "安全"
},
{
"category": "安全",
"description": "考慮有選擇地禁用某些 blob 容器的「軟刪除」 例如,如果應用程式必須確保立即刪除已刪除的資訊,例如出於機密性、隱私或合規性原因。",
"guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e",
"id": "A05.01",
"link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable",
"service": "Azure Storage",
"severity": "中等",
"subcategory": "保密性",
"text": "禁用 blob 的“軟刪除”",
"waf": "安全"
},
{
"category": "安全",
"description": "容器的軟刪除使您能夠在刪除容器后恢復容器,例如從意外刪除操作中恢復。",
"guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a",
"id": "A06.01",
"link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview",
"service": "Azure Storage",
"severity": "高",
"subcategory": "數據可用性",
"text": "為容器啟用“軟刪除”",
"waf": "安全"
},
{
"category": "安全",
"description": "考慮有選擇地禁用某些 blob 容器的「軟刪除」 例如,如果應用程式必須確保立即刪除已刪除的資訊,例如出於機密性、隱私或合規性原因。",
"guid": "3e3453a3-c863-4964-ab65-2d6c15f51296",
"id": "A07.01",
"link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable",
"service": "Azure Storage",
"severity": "中等",
"subcategory": "保密性",
"text": "禁用容器的“軟刪除”",
"waf": "安全"
},
{
"category": "安全",
"description": "通過強制使用者先刪除刪除鎖,然後再刪除存儲帳戶,防止意外刪除存儲帳戶",
"guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64",
"id": "A08.01",
"link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource",
"service": "Azure Storage",
"severity": "高",
"subcategory": "數據可用性",
"text": "在存儲帳戶上啟用資源鎖定",
"waf": "安全"
},
{
"category": "安全",
"description": "請考慮對 blob 使用“合法保留”或“基于時間的保留”策略,以便無法刪除 blob、容器或存儲帳戶。請注意,「不可能」實際上意味著「不可能」;一旦存儲帳戶包含不可變的 blob,「擺脫」該存儲帳戶的唯一方法是取消 Azure 訂閱。",
"guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956",
"id": "A09.01",
"link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview",
"service": "Azure Storage",
"severity": "高",
"subcategory": "數據可用性、合規性",
"text": "考慮不可變的 blob",
"waf": "安全"
},
{
"category": "安全",
"description": "請考慮禁用對存儲帳戶的未受保護的 HTTP/80 訪問,以便對所有數據傳輸進行加密、完整性保護,並且對伺服器進行身份驗證。",
"guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0",
"id": "A10.01",
"link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
"service": "Azure Storage",
"severity": "高",
"subcategory": "聯網",
"text": "需要 HTTPS,即在儲存帳戶上禁用埠 80",
"waf": "安全"
},
{
"category": "安全",
"description": "在儲存帳戶上配置自定義域(主機名)時,請檢查是否需要 TLS/HTTPS;如果是這樣,可能需要將 Azure CDN 放在存儲帳戶的前面。",
"guid": "79b588de-fc49-472c-b3cd-21bf77036e5e",
"id": "A10.02",
"link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name",
"service": "Azure Storage",
"severity": "高",
"subcategory": "聯網",
"text": "強制執行 HTTPS(禁用 HTTP)時,請檢查是否不要對儲存帳戶使用自定義域 (CNAME)。",
"waf": "安全"
},
{
"category": "安全",
"description": "當用戶端使用SAS令牌訪問 blob 資料時,要求使用 HTTPS 有助於最大程度地降低憑據丟失的風險。",
"guid": "6b4bed3d-5035-447c-8347-dc56028a71ff",
"id": "A10.03",
"link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview",
"service": "Azure Storage",
"severity": "中等",
"subcategory": "聯網",
"text": "將共享訪問簽名 (SAS) 令牌限製為僅 HTTPS 連接",
"waf": "安全"
},
{
"category": "安全",
"description": ".強制執行最新的 TLS 版本將拒絕來自使用舊版本的用戶端的請求。",
"graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend compliant = (isnull(properties.minimumTlsVersion) == false and properties.minimumTlsVersion in ('TLS1_2', 'TLS1_3')) | distinct id, compliant",
"guid": "e12be569-a18f-4562-8d5d-ce151b9e7d55",
"id": "A10.4",
"link": "https://learn.microsoft.com/azure/storage/common/transport-layer-security-configure-minimum-version",
"service": "Azure Storage",
"severity": "高",
"subcategory": "聯網",
"text": "強制實施存儲帳戶的最新 TLS 版本",
"waf": "安全"
},
{
"category": "安全",
"description": "在可能的情況下,應優先使用 Microsoft Entra ID 令牌,而不是共用訪問簽名",
"guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4",
"id": "A11.01",
"link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access",
"service": "Azure Storage",
"severity": "高",
"subcategory": "身份和訪問管理",
"text": "使用 Microsoft Entra ID 令牌進行 blob 訪問",
"waf": "安全"
},
{
"category": "安全",
"description": "為使用者、組或應用程式分配角色時,請僅授予該安全主體執行任務所需的許可權。限制對資源的訪問有助於防止無意和惡意濫用數據。",
"guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6",
"id": "A11.02",
"service": "Azure Storage",
"severity": "中等",
"subcategory": "身份和訪問管理",
"text": "IaM 許可權中的最小特權",
"waf": "安全"
},
{
"category": "安全",
"description": "使用者委派 SAS 使用 Azure Active Directory (Azure AD) 憑據以及為 SAS 指定的許可權進行保護。使用者委派 SAS 在範圍和功能方面類似於服務 SAS,但與服務 SAS 相比,它提供了安全優勢。",
"guid": "55461e1a-3e34-453a-9c86-39648b652d6c",
"id": "A11.03",
"link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas",
"service": "Azure Storage",
"severity": "高",
"subcategory": "身份和訪問管理",
"text": "使用 SAS 時,首選「使用者委派 SAS」,而不是基於存儲帳戶密鑰的 SAS。",
"waf": "安全"
},
{
"category": "安全",
"description": "存儲帳戶金鑰(“共用金鑰”)幾乎沒有審核功能。雖然可以監控誰/何時獲取了密鑰的副本,但一旦密鑰掌握在多人手中,就不可能將使用方式歸因於特定使用者。僅依賴 Entra ID 身份驗證可以更輕鬆地將存儲訪問許可權與用戶綁定。",
"graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend allowSharedKeyAccess = tostring(properties.allowSharedKeyAccess) | extend compliant = (isnotempty(allowSharedKeyAccess) and allowSharedKeyAccess == 'false') | distinct id, compliant",
"guid": "15f51296-5398-4e6d-bd22-7dd142b06c21",
"id": "A11.04",
"link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key",
"service": "Azure Storage",
"severity": "高",
"subcategory": "身份和訪問管理",
"text": "請考慮禁用存儲帳戶密鑰,以便僅支援 Microsoft Entra ID 訪問(和使用者委派 SAS)。",
"waf": "安全"
},
{
"category": "安全",
"description": "使用活動日誌數據來確定查看或更改存儲帳戶安全性的“時間”、“人員”、“內容”和“方式”(即存儲帳戶密鑰、訪問策略等)。",
"guid": "d7999a64-6f43-489a-af42-c78e78c06a73",
"id": "A12.01",
"link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity",
"service": "Azure Storage",
"severity": "高",
"subcategory": "監測",
"text": "請考慮使用 Azure Monitor 審核存儲帳戶上的控制平面操作",
"waf": "安全"
},
{
"category": "安全",
"description": "通過金鑰過期策略,您可以設置帳戶訪問金鑰輪換的提醒。如果已過指定的時間間隔且尚未旋轉鍵,則會顯示提醒。",
"guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1",
"id": "A13.01",
"link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy",
"service": "Azure Storage",
"severity": "中等",
"subcategory": "身份和訪問管理",
"text": "使用存儲帳戶密鑰時,請考慮啟用“金鑰過期策略”",
"waf": "安全"
},
{
"category": "安全",
"description": "SAS 過期策略指定了 SAS 的有效時間間隔。SAS 過期策略適用於服務 SAS 或帳戶 SAS。當使用者生成的服務 SAS 或帳戶 SAS 的有效期間隔大於建議的時間間隔時,他們將看到警告。",
"guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf",
"id": "A13.02",
"link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy",
"service": "Azure Storage",
"severity": "中等",
"subcategory": "身份和訪問管理",
"text": "考慮配置 SAS 過期策略",
"waf": "安全"
},
{
"category": "安全",
"description": "通過存儲訪問策略,可以選擇撤銷服務 SAS 的許可權,而無需重新生成存儲帳戶密鑰。",
"guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
"id": "A13.03",
"link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy",
"service": "Azure Storage",
"severity": "中等",
"subcategory": "身份和訪問管理",
"text": "考慮將 SAS 連結到儲存存取策略",
"waf": "安全"
},
{
"category": "安全",
"guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
"id": "A14.01",
"link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/",
"service": "Azure Storage",
"severity": "中等",
"subcategory": "CI/CD",
"text": "請考慮配置應用程式的原始程式碼儲存庫,以檢測簽入的連接字串和存儲帳戶密鑰。",
"waf": "安全"
},
{
"category": "安全",
"description": "理想情況下,應用程式應使用託管標識向 Azure 儲存進行身份驗證。如果無法做到這一點,請考慮在 Azure KeyVault 或等效服務中擁有存儲憑據(連接字串、存儲帳戶密鑰、SAS、服務主體憑據)。",
"guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
"id": "A15.01",
"link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys",
"service": "Azure Storage",
"severity": "高",
"subcategory": "身份和訪問管理",
"text": "請考慮在 Azure KeyVault 中儲存連接字串(在無法使用託管標識的情況下)",
"waf": "安全"
},
{
"category": "安全",
"description": "在臨時 SAS 服務 SAS 或帳戶 SAS 上使用近期過期時間。這樣,即使 SAS 遭到入侵,它也只會在短時間內有效。如果無法引用存儲訪問策略,則這種做法尤為重要。近期過期時間還通過限制可用於上傳到 blob 的時間來限制可以寫入 blob 的數據量。",
"guid": "27138b82-1102-4cac-9eae-01e6e842e52f",
"id": "A15.02",
"link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
"service": "Azure Storage",
"severity": "高",
"subcategory": "身份和訪問管理",
"text": "爭取縮短臨時 SAS 的有效期",
"waf": "安全"
},
{
"category": "安全",
"description": "創建 SAS 時,請盡可能具體且具有限制性。首選單一資源和操作的 SAS,而不是提供更廣泛訪問許可權的 SAS。",
"guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c",
"id": "A15.03",
"link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
"service": "Azure Storage",
"severity": "中等",
"subcategory": "身份和訪問管理",
"text": "對SAS應用窄範圍",
"waf": "安全"
},
{
"category": "安全",
"description": "SAS 可以包含用戶端 IP 位址或位址範圍有權使用 SAS 請求資源的參數。",
"guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a",
"id": "A15.04",
"link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas",
"service": "Azure Storage",
"severity": "中等",
"subcategory": "身份和訪問管理",
"text": "盡可能考慮將SAS的範圍限定為特定的用戶端IP位址",
"waf": "安全"
},
{
"category": "安全",
"description": "SAS無法限制用戶端上傳的數據量;考慮到存儲量隨時間變化的定價模型,驗證用戶端是否惡意上傳了大量內容可能很有意義。",
"guid": "348b263e-6dd6-4051-8a36-498f6dbad38e",
"id": "A15.05",
"service": "Azure Storage",
"severity": "低",
"subcategory": "身份和訪問管理",
"text": "在用戶端使用SAS上傳檔后,請考慮檢查上傳的數據。",
"waf": "安全"
},
{
"category": "安全",
"description": "使用「本地使用者帳戶」通過 SFTP 訪問 blob 儲存時,“通常”的 RBAC 控制不適用。通過 NFS 或 REST 進行的 Blob 訪問可能比 SFTP 訪問更具限制性。遺憾的是,截至 2023 年初,本地使用者是 SFTP 端點目前支援的唯一身份管理形式",
"guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8",
"id": "A15.06",
"link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model",
"service": "Azure Storage",
"severity": "高",
"subcategory": "身份和訪問管理",
"text": "SFTP:限制 SFTP 訪問的「本地使用者」數量,並審核隨著時間的推移是否需要訪問。",
"waf": "安全"
},
{
"category": "安全",
"guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38",
"id": "A15.07",
"link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization",
"service": "Azure Storage",
"severity": "中等",
"subcategory": "身份和訪問管理",
"text": "SFTP:SFTP 端點不支持類似 POSIX 的 ACL。",
"waf": "安全"
},
{
"category": "安全",
"description": "存儲支援 CORS(跨源資源分享),即一種 HTTP 功能,使來自不同域的 Web 應用程式能夠放鬆同源策略。啟用 CORS 時,請將 CorsRules 保留為最低許可權。",
"guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3",
"id": "A16.01",
"link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services",
"service": "Azure Storage",
"severity": "高",
"subcategory": "聯網",
"text": "避免過於寬泛的 CORS 策略",
"waf": "安全"
},
{
"category": "安全",
"description": "靜態數據始終在伺服器端加密,此外也可能在用戶端加密。伺服器端加密可能使用平臺管理的金鑰(預設)或客戶管理的金鑰進行。用戶端加密可以通過讓用戶端按 blob 向 Azure 儲存提供加密/解密金鑰,或者完全在用戶端處理加密來實現。因此,完全不依賴 Azure 存儲來保證機密性。",
"guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464",
"id": "A17.01",
"link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
"service": "Azure Storage",
"severity": "高",
"subcategory": "保密性和加密",
"text": "確定應如何加密靜態數據。了解數據的線程模型。",
"waf": "安全"
},
{
"category": "安全",
"guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6",
"id": "A17.02",
"link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json",
"service": "Azure Storage",
"severity": "中等",
"subcategory": "保密性和加密",
"text": "確定應使用哪種/是否應使用平臺加密。",
"waf": "安全"
},
{
"category": "安全",
"guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29",
"id": "A17.03",
"link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys",
"service": "Azure Storage",
"severity": "中等",
"subcategory": "保密性和加密",
"text": "確定應使用哪種/是否應使用用戶端加密。",
"waf": "安全"
},
{
"category": "安全",
"description": "利用 Resource Graph 資源管理器 (resources | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true) 查找允許匿名 blob 訪問的存儲帳戶。",
"graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend compliant = (properties.allowBlobPublicAccess == 'false') | distinct id, compliant",
"guid": "659ae558-b937-4d49-a5e1-112dbd7ba012",
"id": "A18.01",
"link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account",
"service": "Azure Storage",
"severity": "高",
"subcategory": "身份和訪問管理",
"text": "考慮是否需要公共 blob 匿名訪問,或者是否可以對某些存儲帳戶禁用公共 blob 匿名訪問。",
"waf": "安全"
},
{
"category": "運營管理",
"guid": "cb8eb8c0-aa62-4a25-a495-6eaa8dc4a243",
"id": "B01.01",
"link": "https://learn.microsoft.com/azure/storage/common/storage-account-upgrade?tabs=azure-portal",
"service": "Azure Storage",
"severity": "高",
"subcategory": "平臺版本",
"text": "利用 storagev2 帳戶類型獲得更好的性能和可靠性",
"waf": "可靠性"
},
{
"category": "BC 和DR",
"guid": "e05bbe20-9d49-4fda-9777-8424d116785c",
"id": "C01.01",
"link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
"service": "Azure Storage",
"severity": "高",
"subcategory": "可用性",
"text": "利用 GRS、ZRS 或 GZRS 儲存實現最高可用性",
"waf": "可靠性"
},
{
"category": "BC 和DR",
"guid": "2fa56c56-ad48-4408-be72-734c486ba280",
"id": "C01.02",
"link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance",
"service": "Azure Storage",
"severity": "中等",
"subcategory": "故障轉移",
"text": "對於故障轉移后的寫入操作,請使用客戶管理的故障轉移",
"waf": "可靠性"
},
{
"category": "運營管理",
"guid": "dc0590cf-65de-48e1-909c-cbd579266bcc",
"id": "C01.03",
"link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance#microsoft-managed-failover",
"service": "Azure Storage",
"severity": "中等",
"subcategory": "故障轉移",
"text": "瞭解 Microsoft 託管的故障轉移詳細資訊",
"waf": "可靠性"
},
{
"category": "運營管理",
"guid": "a274faa1-abfe-49d5-9d04-c3c4919cb1b3",
"id": "C01.04",
"link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable?tabs=azure-portal",
"service": "Azure Storage",
"severity": "中等",
"subcategory": "數據保護",
"text": "啟用軟刪除",
"waf": "可靠性"
}
],
"metadata": {
"name": "Azure Storage Review Checklist",
"state": "Preview",
"timestamp": "August 12, 2024",
"waf": "all"
},
"severities": [
{
"name": "高"
},
{
"name": "中等"
},
{
"name": "低"
}
],
"status": [
{
"description": "此檢查尚未查看",
"name": "未驗證"
},
{
"description": "有一個與此檢查關聯的操作項",
"name": "打開"
},
{
"description": "此檢查已經過驗證,並且沒有與之關聯的其他操作項",
"name": "實現"
},
{
"description": "建議已理解,但當前要求不需要",
"name": "不需要"
},
{
"description": "不適用於當前設計",
"name": "N/A"
}
],
"waf": [
{
"name": "可靠性"
},
{
"name": "安全"
},
{
"name": "成本"
},
{
"name": "操作"
},
{
"name": "性能"
}
],
"yesno": [
{
"name": "是的"
},
{
"name": "不"
}
]
}