chore: add azure/storage metadata update to changelog

prowler/CHANGELOG.md

@@ -11,6 +11,8 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Update AWS Step Functions service metadata to new format [(#9432)](https://github.com/prowler-cloud/prowler/pull/9432)
 - Update AWS Route 53 service metadata to new format [(#9406)](https://github.com/prowler-cloud/prowler/pull/9406)
 - Update AWS SQS service metadata to new format [(#9429)](https://github.com/prowler-cloud/prowler/pull/9429)
+- Update Azure Storage service metadata to new format [(#9628)](https://github.com/prowler-cloud/prowler/pull/9628)
+
 
 ---
 

prowler/providers/azure/services/storage/storage_account_key_access_disabled/storage_account_key_access_disabled.metadata.json

@@ -1,30 +1,35 @@
 {
   "Provider": "azure",
   "CheckID": "storage_account_key_access_disabled",
-  "CheckTitle": "Ensure allow storage account key access is disabled",
+  "CheckTitle": "Storage account has shared key access disabled",
   "CheckType": [],
   "ServiceName": "storage",
-  "SubServiceName": "account",
+  "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "AzureStorageAccount",
-  "Description": "Ensures that access to Azure Storage Accounts using account keys is disabled, enforcing the use of Microsoft Entra ID (formerly Azure AD) for authentication.",
-  "Risk": "Using Shared Key authorization poses a security risk due to the high privileges associated with storage account keys and the difficulty in auditing such access. Disabling Shared Key access helps enforce identity-based authentication via Microsoft Entra ID, enhancing security and traceability.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/azure/storage/common/shared-key-authorization-prevent",
+  "ResourceType": "microsoft.storage/storageaccounts",
+  "Description": "Azure Storage accounts are evaluated for whether **Shared Key (account key) authorization** is disabled, requiring identity-based access via **Microsoft Entra ID** and RBAC.",
+  "Risk": "Allowing **Shared Key** undermines **confidentiality, integrity, and availability**:\n- A leaked key grants broad read/write/delete across the account\n- Access bypasses **RBAC** and Conditional Access, reducing accountability\n- Activity is hard to attribute, easing data exfiltration and tampering",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/azure/storage/common/shared-key-authorization-prevent",
+    "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/StorageAccounts/disable-shared-key-authorization.html"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "az storage account update --name <storage-account-name> --resource-group <resource-group> --allow-shared-key-access false",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/StorageAccounts/disable-shared-key-authorization.html",
-      "Terraform": ""
+      "NativeIaC": "```bicep\n// Storage account with Shared Key access disabled\nresource sa 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: '<example_resource_name>'\n  location: resourceGroup().location\n  kind: 'StorageV2'\n  sku: { name: 'Standard_LRS' }\n  properties: {\n    allowSharedKeyAccess: false // Critical: disallows Shared Key authorization to pass the check\n  }\n}\n```",
+      "Other": "1. In the Azure portal, open the target Storage account\n2. Go to Settings > Configuration\n3. Set \"Allow storage account key access\" to \"Disabled\"\n4. Click Save",
+      "Terraform": "```hcl\nresource \"azurerm_storage_account\" \"main\" {\n  name                     = \"<example_resource_name>\"\n  resource_group_name      = \"<example_resource_name>\"\n  location                 = \"<example_resource_name>\"\n  account_tier             = \"Standard\"\n  account_replication_type = \"LRS\"\n\n  shared_access_key_enabled = false # Critical: disables Shared Key authorization to pass the check\n}\n```"
     },
     "Recommendation": {
-      "Text": "Disable Shared Key authorization on storage accounts to enforce the use of Microsoft Entra ID for secure, auditable access.",
-      "Url": "https://learn.microsoft.com/en-us/azure/storage/common/shared-key-authorization-prevent"
+      "Text": "Disallow **Shared Key** and require **Microsoft Entra ID** with least-privilege RBAC for all data access.\n- Prefer user delegation SAS over account/service SAS\n- Apply Conditional Access and separation of duties\n- Monitor and phase out key-based clients; rotate and revoke unused keys",
+      "Url": "https://hub.prowler.com/check/storage_account_key_access_disabled"
     }
   },
   "Categories": [
-    "e3"
+    "identity-access",
+    "secrets"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/azure/services/storage/storage_blob_public_access_level_is_disabled/storage_blob_public_access_level_is_disabled.metadata.json

@@ -1,29 +1,35 @@
 {
   "Provider": "azure",
   "CheckID": "storage_blob_public_access_level_is_disabled",
-  "CheckTitle": "Ensure that the 'Public access level' is set to 'Private (no anonymous access)' for all blob containers in your storage account",
+  "CheckTitle": "Storage account has 'Allow blob public access' disabled",
   "CheckType": [],
   "ServiceName": "storage",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "AzureStorageAccount",
-  "Description": "Ensure that the 'Public access level' configuration setting is set to 'Private (no anonymous access)' for all blob containers in your storage account in order to block anonymous access to these Microsoft Azure resources.",
-  "Risk": "A user that accesses blob containers anonymously can use constructors that do not require credentials such as shared access signatures.",
+  "Severity": "high",
+  "ResourceType": "microsoft.storage/storageaccounts",
+  "Description": "**Azure Storage accounts** with **blob public access** disabled prevent containers or blobs from being set to a public access level. Setting `allow blob public access` to `false` enforces no anonymous reads across the account.",
+  "Risk": "Allowing public access permits unauthenticated users to read blob data or enumerate container contents when any container is made public, compromising confidentiality.\n\nExposed objects can be scraped at scale, enabling data exfiltration and intelligence gathering without audit attribution.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.prowler.com/checks/azure/azure-networking-policies/ensure-that-storage-accounts-disallow-public-access#terraform",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/StorageAccounts/disable-blob-anonymous-access-for-storage-accounts.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/StorageAccounts/disable-blob-anonymous-access-for-storage-accounts.html",
-      "Terraform": "https://docs.prowler.com/checks/azure/azure-networking-policies/ensure-that-storage-accounts-disallow-public-access#terraform"
+      "CLI": "az storage account update -g <RESOURCE_GROUP> -n <STORAGE_ACCOUNT_NAME> --allow-blob-public-access false",
+      "NativeIaC": "```bicep\n// Storage account with blob public access disabled\nresource sa 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: '<example_resource_name>'\n  location: resourceGroup().location\n  kind: 'StorageV2'\n  sku: { name: 'Standard_LRS' }\n  properties: {\n    allowBlobPublicAccess: false // Critical: disables anonymous/public blob access at the account\n  }\n}\n```",
+      "Other": "1. In Azure Portal, go to Storage accounts and select the target account\n2. Under Settings, open Configuration\n3. Set \"Allow Blob public access\" to Disabled\n4. Click Save",
+      "Terraform": "```hcl\nresource \"azurerm_storage_account\" \"<example_resource_name>\" {\n  name                     = \"<example_resource_name>\"\n  resource_group_name      = \"<example_resource_name>\"\n  location                 = \"<example_location>\"\n  account_tier             = \"Standard\"\n  account_replication_type = \"LRS\"\n  allow_blob_public_access = false # Critical: disables anonymous/public blob access\n}\n```"
     },
     "Recommendation": {
-      "Text": "Set 'Public access level' configuration setting to 'Private (no anonymous access)'",
-      "Url": ""
+      "Text": "Disable **blob public access** at the account and enforce authenticated access based on **least privilege**. Prefer **private endpoints** or restricted networks, use short-lived `SAS` or federated identities, and apply **RBAC** with container-level permissions. Monitor access and review exposure regularly.",
+      "Url": "https://hub.prowler.com/check/storage_blob_public_access_level_is_disabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/azure/services/storage/storage_blob_versioning_is_enabled/storage_blob_versioning_is_enabled.metadata.json

@@ -1,29 +1,40 @@
 {
   "Provider": "azure",
   "CheckID": "storage_blob_versioning_is_enabled",
-  "CheckTitle": "Ensure Blob Versioning is Enabled on Azure Blob Storage Accounts",
+  "CheckTitle": "Storage account has blob versioning enabled",
   "CheckType": [],
   "ServiceName": "storage",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "AzureStorageAccount",
-  "Description": "Ensure that blob versioning is enabled on Azure Blob Storage accounts to automatically retain previous versions of objects.",
-  "Risk": "Without blob versioning, accidental or malicious changes to blobs cannot be easily recovered, leading to potential data loss.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/azure/storage/blobs/versioning-enable",
+  "ResourceType": "microsoft.storage/storageaccounts",
+  "Description": "**Azure Storage accounts** have **blob versioning** enabled (`IsVersioningEnabled`) to automatically retain previous versions of blobs created by updates or deletes",
+  "Risk": "Without **blob versioning**:\n- **Integrity**: overwrites can't be reverted\n- **Availability**: deletes or ransomware remove usable copies\n- **Forensics**: no immutable history for investigation and scoped recovery\n\nMistakes or compromised identities can cause irreversible object loss and wider impact.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/azure/storage/blobs/versioning-overview",
+    "https://learn.microsoft.com/sv-se/azure/storage/blobs/versioning-enable",
+    "https://learn.microsoft.com/en-us/azure/storage/blobs/versioning-enable",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/StorageAccounts/enable-versioning-for-blobs.html",
+    "https://stackoverflow.com/questions/65605484/azure-storage-enable-blob-versioning-on-storage-account-programmatically",
+    "https://learn.microsoft.com/en-us/azure/storage/blobs/versions-manage-dotnet",
+    "https://learn.microsoft.com/en-us/answers/questions/1285243/after-enabling-versioning-in-azure-storage-account"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "az storage account blob-service-properties update --resource-group <resource_group> --account-name <storage-account> --enable-versioning true",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/StorageAccounts/enable-versioning-for-blobs.html",
-      "Terraform": "resource \"azurerm_storage_account\" \"example\" {\n  name                     = \"examplestorageacct\"\n  resource_group_name      = azurerm_resource_group.example.name\n  location                 = azurerm_resource_group.example.location\n  account_tier             = \"Standard\"\n  account_replication_type = \"LRS\"\n\n  blob_properties {\n    versioning_enabled = true\n  }\n}\n"
+      "NativeIaC": "```bicep\n// Enable blob versioning on an existing storage account\nresource blobService 'Microsoft.Storage/storageAccounts/blobServices@2023-01-01' = {\n  name: '<example_resource_name>/default'\n  properties: {\n    isVersioningEnabled: true // Critical: enables blob versioning to pass the check\n  }\n}\n```",
+      "Other": "1. In the Azure portal, go to Storage accounts and open your storage account\n2. Under Data management, select Data protection\n3. In Tracking, set Enable versioning for blobs to Enabled\n4. Click Save",
+      "Terraform": "```hcl\n# Enable blob versioning on a Storage Account\nresource \"azurerm_storage_account\" \"<example_resource_name>\" {\n  name                = \"<example_resource_name>\"\n  resource_group_name = \"<example_resource_name>\"\n  location            = \"<example_resource_name>\"\n  sku_name            = \"Standard_LRS\"\n\n  blob_properties {\n    versioning_enabled = true # Critical: enables blob versioning to pass the check\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable blob versioning for all Azure Storage accounts that store critical or sensitive data.",
-      "Url": "https://learn.microsoft.com/en-us/azure/storage/blobs/versioning-enable"
+      "Text": "Enable **blob versioning** for accounts holding critical data. Pair with **blob soft delete** and lifecycle rules to retain and age off versions. Enforce **least privilege** on write and version-delete actions, and monitor access. *For high-churn data*, isolate into separate accounts with tailored retention to balance security and cost.",
+      "Url": "https://hub.prowler.com/check/storage_blob_versioning_is_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "resilience"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/azure/services/storage/storage_cross_tenant_replication_disabled/storage_cross_tenant_replication_disabled.metadata.json

@@ -1,29 +1,35 @@
 {
   "Provider": "azure",
   "CheckID": "storage_cross_tenant_replication_disabled",
-  "CheckTitle": "Ensure cross-tenant replication is disabled",
+  "CheckTitle": "Storage account has cross-tenant replication disabled",
   "CheckType": [],
   "ServiceName": "storage",
-  "SubServiceName": "account",
+  "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "AzureStorageAccount",
-  "Description": "Ensure that cross-tenant replication is not enabled on Azure Storage Accounts to prevent unintended replication of data across tenant boundaries.",
-  "Risk": "If cross-tenant replication is enabled, sensitive data could be inadvertently replicated across tenants, increasing the risk of data leakage, unauthorized access, or non-compliance with data governance and privacy policies.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/azure/storage/blobs/object-replication-prevent-cross-tenant-policies?tabs=portal",
+  "ResourceType": "microsoft.storage/storageaccounts",
+  "Description": "**Azure Storage accounts** are assessed for whether **cross-tenant object replication** is disallowed via `AllowCrossTenantReplication=false`, limiting replication policies to the same tenant.",
+  "Risk": "Permitting cross-tenant replication can copy sensitive blobs into external tenants, undermining **confidentiality**. A compromised or mismanaged destination enables **data exfiltration**; mirrored updates/deletes can impact **integrity** and retention, complicating auditability and incident response.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/azure/storage/blobs/object-replication-prevent-cross-tenant-policies?tabs=portal",
+    "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/StorageAccounts/disable-cross-tenant-replication.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "az storage account update --name <storage-account-name> --resource-group <resource-group> --default-to-oauth-authentication true --allow-cross-tenant-replication false",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/StorageAccounts/disable-cross-tenant-replication.html",
-      "Terraform": ""
+      "CLI": "az storage account update --name <storage-account-name> --resource-group <resource-group> --allow-cross-tenant-replication false",
+      "NativeIaC": "```bicep\n// Disables cross-tenant replication on the storage account\nresource sa 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: '<example_resource_name>'\n  location: resourceGroup().location\n  sku: {\n    name: 'Standard_LRS'\n  }\n  kind: 'StorageV2'\n  properties: {\n    allowCrossTenantReplication: false // Critical: disallow cross-tenant object replication\n  }\n}\n```",
+      "Other": "1. In the Azure portal, go to Storage accounts and open your storage account\n2. Under Data management, select Object replication\n3. Click Advanced settings\n4. Uncheck Allow cross-tenant replication\n5. Click OK/Save\n6. If the option is unavailable, delete any existing cross-tenant object replication policies first, then retry",
+      "Terraform": "```hcl\nresource \"azurerm_storage_account\" \"main\" {\n  name                     = \"<example_resource_name>\"\n  resource_group_name      = \"<example_resource_name>\"\n  location                 = \"<example_resource_name>\"\n  account_tier             = \"Standard\"\n  account_replication_type = \"LRS\"\n\n  cross_tenant_replication_enabled = false # Critical: disallow cross-tenant object replication\n}\n```"
     },
     "Recommendation": {
-      "Text": "Disable Cross Tenant Replication on storage accounts to ensure that data remains within tenant boundaries unless explicitly shared, reducing the risk of data leakage and unauthorized access.",
-      "Url": "https://learn.microsoft.com/en-us/azure/storage/blobs/object-replication-prevent-cross-tenant-policies?tabs=portal"
+      "Text": "Enforce `AllowCrossTenantReplication=false` and keep replication within the same tenant. Apply **least privilege** and **separation of duties** for replication management, backed by **policy-based governance** to prevent drift. *If cross-tenant transfer is required*, use formal data-sharing controls, monitoring, and time-bound approvals.",
+      "Url": "https://hub.prowler.com/check/storage_cross_tenant_replication_disabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "trust-boundaries"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/azure/services/storage/storage_default_network_access_rule_is_denied/storage_default_network_access_rule_is_denied.metadata.json

@@ -1,29 +1,41 @@
 {
   "Provider": "azure",
   "CheckID": "storage_default_network_access_rule_is_denied",
-  "CheckTitle": "Ensure Default Network Access Rule for Storage Accounts is Set to Deny",
+  "CheckTitle": "Storage account default network access rule is set to Deny",
   "CheckType": [],
   "ServiceName": "storage",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "AzureStorageAccount",
-  "Description": "Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access toselected networks, the default action must be changed.",
-  "Risk": "Storage accounts should be configured to deny access to traffic from all networks (including internet traffic). Access can be granted to traffic from specific Azure Virtualnetworks, allowing a secure network boundary for specific applications to be built.Access can also be granted to public internet IP address ranges to enable connectionsfrom specific internet or on-premises clients. When network rules are configured, onlyapplications from allowed networks can access a storage account. When calling from anallowed network, applications continue to require proper authorization (a valid accesskey or SAS token) to access the storage account.",
+  "Severity": "high",
+  "ResourceType": "microsoft.storage/storageaccounts",
+  "Description": "**Azure Storage accounts** configure the **default network access rule** to `Deny`, so the **public endpoint** only accepts traffic from explicitly allowed virtual networks, IP ranges, or private endpoints",
+  "Risk": "With the default action set to `Allow`, the public endpoint is reachable from any network. This removes a network boundary, so **stolen access keys** or leaked **SAS tokens** can be abused from anywhere, enabling **data exfiltration**, tampering, and destructive writes-impacting confidentiality, integrity, and availability.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.prowler.com/checks/azure/azure-networking-policies/set-default-network-access-rule-for-storage-accounts-to-deny#terraform",
+    "https://zimmergren.net/secure-your-azure-storage-accounts-using-allowed-ip-address-or-range/",
+    "https://docs.prowler.com/checks/azure/azure-networking-policies/set-default-network-access-rule-for-storage-accounts-to-deny/",
+    "https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security-set-default-access",
+    "https://blog.kriation.com/2021/restrict-network-access-to-storage-accounts.html",
+    "https://stackoverflow.com/questions/77996282/creating-multiple-network-rules-for-an-azure-storage-account-using-for-each-in-t",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/StorageAccounts/restrict-default-network-access.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "az storage account update --name <StorageAccountName> --resource-group <resourceGroupName> --default-action Deny",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/StorageAccounts/restrict-default-network-access.html",
-      "Terraform": "https://docs.prowler.com/checks/azure/azure-networking-policies/set-default-network-access-rule-for-storage-accounts-to-deny#terraform"
+      "CLI": "az storage account update --name <STORAGE_ACCOUNT_NAME> --resource-group <RESOURCE_GROUP_NAME> --default-action Deny",
+      "NativeIaC": "```bicep\n// Set default network access to Deny for a Storage Account\nresource sa 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: '<example_resource_name>'\n  location: resourceGroup().location\n  sku: { name: 'Standard_LRS' }\n  kind: 'StorageV2'\n  properties: {\n    networkAcls: {\n      defaultAction: 'Deny' // Critical: sets default network access to Deny so the check passes\n    }\n  }\n}\n```",
+      "Other": "1. In the Azure portal, open your Storage account\n2. Go to Security + networking > Networking\n3. Under Public network access, select Enable > Enabled from selected virtual networks and IP addresses\n4. Click Save\n\nThis sets the default network access rule to Deny",
+      "Terraform": "```hcl\n# Set default network access to Deny on an existing Storage Account\nresource \"azurerm_storage_account_network_rules\" \"<example_resource_name>\" {\n  storage_account_id = \"<example_resource_id>\"\n  default_action     = \"Deny\" # Critical: sets default network access to Deny so the check passes\n}\n```"
     },
     "Recommendation": {
-      "Text": "1. Go to Storage Accounts 2. For each storage account, Click on the Networking blade 3. Click the Firewalls and virtual networks heading. 4. Ensure that you have elected to allow access from Selected networks 5. Add rules to allow traffic from specific network. 6. Click Save to apply your changes.",
-      "Url": ""
+      "Text": "Set the default network access to `Deny` and permit only required sources: selected VNets, specific IP ranges, or preferably **private endpoints**. Apply **least privilege**, minimize service bypass, and use short-lived, scoped SAS to limit blast radius if credentials leak.",
+      "Url": "https://hub.prowler.com/check/storage_default_network_access_rule_is_denied"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed",
+    "trust-boundaries"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": "All allowed networks will need to be whitelisted on each specific network, creating administrative overhead. This may result in loss of network connectivity, so do not turn on for critical resources during business hours."

prowler/providers/azure/services/storage/storage_default_to_entra_authorization_enabled/storage_default_to_entra_authorization_enabled.metadata.json

@@ -1,29 +1,41 @@
 {
   "Provider": "azure",
   "CheckID": "storage_default_to_entra_authorization_enabled",
-  "CheckTitle": "Ensure Microsoft Entra authorization is enabled by default for Azure Storage Accounts",
+  "CheckTitle": "Storage account uses Microsoft Entra authorization by default",
   "CheckType": [],
   "ServiceName": "storage",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "high",
-  "ResourceType": "AzureStorageAccount",
-  "Description": "Ensure that the Azure Storage Account setting 'Default to Microsoft Entra authorization in the Azure portal' is enabled to enforce the use of Microsoft Entra ID for accessing blobs, files, queues, and tables.",
-  "Risk": "If this setting is not enabled, the Azure portal may authorize access using less secure methods such as Shared Key, increasing the risk of unauthorized data access.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory",
+  "Severity": "medium",
+  "ResourceType": "microsoft.storage/storageaccounts",
+  "Description": "**Azure Storage accounts** with `Default to Microsoft Entra authorization in the Azure portal` use **token-based Microsoft Entra ID (Azure RBAC)** by default to access blobs, files, queues, and tables, rather than account keys",
+  "Risk": "Defaulting to **access keys/Shared Key** enables broad, non-scoped access and weak **auditing**. A stolen key grants full data access, risking **confidentiality** (exfiltration), **integrity** (unauthorized writes/deletes), and **availability** (destructive actions). It can also bypass **least privilege** and enable lateral movement via key reuse.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/StorageAccounts/enable-microsoft-entra-authorization-by-default.html",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/StorageAccounts/enable-microsoft-entra-authorization-by-default.html",
+    "https://docs.datadoghq.com/security/default_rules/def-000-w60/",
+    "https://www.c-sharpcorner.com/article/understanding-and-creation-of-azure-storage-account/",
+    "https://learn.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory",
+    "https://simpleanalytics.co.nz/blogs/creating-an-azure-storage-account",
+    "https://stackoverflow.com/questions/77511961/azure-cli-default-to-microsoft-entra-authorization-in-the-azure-portal-how",
+    "https://learn.microsoft.com/en-us/azure/storage/files/authorize-data-operations-portal"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "az storage account update --name <storage-account-name> --resource-group <resource-group-name> --default-to-AzAd-auth true",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/StorageAccounts/enable-microsoft-entra-authorization-by-default.html",
-      "Terraform": ""
+      "CLI": "az storage account update -g <resource-group-name> -n <storage-account-name> --set defaultToOAuthAuthentication=true",
+      "NativeIaC": "```bicep\n// Enable Microsoft Entra (Azure AD) authorization by default in the portal\nresource sa 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: '<example_resource_name>'\n  location: '<example_location>'\n  kind: 'StorageV2'\n  sku: {\n    name: 'Standard_LRS'\n  }\n  properties: {\n    defaultToOAuthAuthentication: true // Critical: defaults portal data access to Microsoft Entra authorization\n  }\n}\n```",
+      "Other": "1. In the Azure portal, go to Storage accounts and select your account\n2. Under Settings, select Configuration\n3. Set \"Default to Microsoft Entra authorization in the Azure portal\" to Enabled\n4. Click Save",
+      "Terraform": "```hcl\n# Enable Microsoft Entra authorization by default for the storage account in the portal\nresource \"azurerm_storage_account\" \"<example_resource_name>\" {\n  name                     = \"<example_resource_name>\"\n  resource_group_name      = \"<example_resource_name>\"\n  location                 = \"<example_location>\"\n  account_tier             = \"Standard\"\n  account_replication_type = \"LRS\"\n\n  default_to_oauth_authentication = true # Critical: defaults portal data access to Microsoft Entra authorization\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable Microsoft Entra authorization by default in the Azure portal to enhance security and avoid reliance on Shared Key authentication.",
-      "Url": "https://learn.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory"
+      "Text": "Enable this setting so the portal uses **Microsoft Entra ID** by default. Apply **least privilege** with Azure RBAC, prefer **managed identities** and user-delegation SAS, and *where feasible* disable Shared Key use. Rotate any existing keys, and monitor access with logs to enforce **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/storage_default_to_entra_authorization_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "identity-access"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/azure/services/storage/storage_ensure_azure_services_are_trusted_to_access_is_enabled/storage_ensure_azure_services_are_trusted_to_access_is_enabled.metadata.json

@@ -1,29 +1,40 @@
 {
   "Provider": "azure",
   "CheckID": "storage_ensure_azure_services_are_trusted_to_access_is_enabled",
-  "CheckTitle": "Ensure that 'Allow trusted Microsoft services to access this storage account' is enabled for storage accounts",
+  "CheckTitle": "Storage account has 'Allow trusted Microsoft services to access this storage account' enabled",
   "CheckType": [],
   "ServiceName": "storage",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "AzureStorageAccount",
-  "Description": "Ensure that 'Allow trusted Microsoft services to access this storage account' is enabled within your Azure Storage account configuration settings to grant access to trusted cloud services.",
-  "Risk": "Not allowing to access storage account by Azure services the following services: Azure Backup, Azure Event Grid, Azure Site Recovery, Azure DevTest Labs, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse (when registered in the subscription), are not granted access to your storage account",
+  "ResourceType": "microsoft.storage/storageaccounts",
+  "Description": "**Azure Storage account** network rules include the `AzureServices` bypass so **trusted Microsoft services** can reach the account even when firewalls restrict public access",
+  "Risk": "Without this exception, platform services relying on the account (backup, monitoring, replication) can be blocked, causing failed backups, missing logs, and stalled workflows-affecting **availability** and **integrity**. Teams may over-broaden network access to compensate, increasing **confidentiality** risk.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://stackoverflow.com/questions/72653133/status-403-code-authorizationfailure-message-this-request-is-not-authorized-t",
+    "https://docs.prowler.com/checks/azure/azure-networking-policies/enable-trusted-microsoft-services-for-storage-account-access#terraform",
+    "https://avd.aquasec.com/misconfig/azure/storage-accounts/trusted-ms-access-enabled/",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/StorageAccounts/enable-trusted-microsoft-services.html",
+    "https://medium.com/medialesson/azure-document-intelligence-fix-contentsourcenotaccessible-invalid-data-url-b1c4f36ede23",
+    "https://support.icompaas.com/support/solutions/articles/62000219788-ensure-allow-azure-services-on-the-trusted-services-list-to-access-this-storage-account-is-enabled-",
+    "https://learn.microsoft.com/en-in/answers/questions/2123022/power-automate-to-azure-storage"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "az storage account update --name <StorageAccountName> --resource-group <resourceGroupName> --bypass AzureServices",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/StorageAccounts/enable-trusted-microsoft-services.html",
-      "Terraform": "https://docs.prowler.com/checks/azure/azure-networking-policies/enable-trusted-microsoft-services-for-storage-account-access#terraform"
+      "NativeIaC": "```bicep\n// Enable trusted Microsoft services on a Storage Account\nresource stg '<example_resource_name>@Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: '<example_resource_name>'\n  location: '<location>'\n  kind: 'StorageV2'\n  sku: { name: 'Standard_LRS' }\n  properties: {\n    networkAcls: {\n      bypass: 'AzureServices' // CRITICAL: Allows trusted Microsoft services to bypass network rules\n    }\n  }\n}\n```",
+      "Other": "1. In the Azure portal, go to Storage accounts and select your account\n2. Navigate to Security + networking > Networking\n3. Under Exceptions, check Allow trusted Microsoft services to access this storage account\n4. Click Save",
+      "Terraform": "```hcl\n# Enable trusted Microsoft services on a Storage Account\nresource \"azurerm_storage_account\" \"<example_resource_name>\" {\n  name                     = \"<example_resource_name>\"\n  resource_group_name      = \"<example_resource_name>\"\n  location                 = \"<location>\"\n  account_tier             = \"Standard\"\n  account_replication_type = \"LRS\"\n\n  network_rules {\n    bypass = [\"AzureServices\"] # CRITICAL: Allows trusted Microsoft services to bypass network rules\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "To allow these Azure services to work as intended and be able to access your storage account resources, you have to add an exception so that the trusted Microsoft Azure services can bypass your network rules",
-      "Url": ""
+      "Text": "Enable the **trusted services** exception (`AzureServices`) for storage accounts used by platform services.\n- Enforce **least privilege** with RBAC and managed identities\n- Keep networks restricted; prefer **private endpoints**\n- Monitor access and review exceptions regularly",
+      "Url": "https://hub.prowler.com/check/storage_ensure_azure_services_are_trusted_to_access_is_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "trust-boundaries"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/azure/services/storage/storage_ensure_encryption_with_customer_managed_keys/storage_ensure_encryption_with_customer_managed_keys.metadata.json

@@ -1,26 +1,35 @@
 {
   "Provider": "azure",
   "CheckID": "storage_ensure_encryption_with_customer_managed_keys",
-  "CheckTitle": "Ensure that your Microsoft Azure Storage accounts are using Customer Managed Keys (CMKs) instead of Microsoft Managed Keys",
+  "CheckTitle": "Azure Storage account uses customer-managed keys (CMKs) for encryption",
   "CheckType": [],
   "ServiceName": "storage",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "high",
-  "ResourceType": "AzureStorageAccount",
-  "Description": "Ensure that your Microsoft Azure Storage accounts are using Customer Managed Keys (CMKs) instead of Microsoft Managed Keys",
-  "Risk": "If you want to control and manage storage account contents encryption key yourself you must specify a customer-managed key",
+  "Severity": "medium",
+  "ResourceType": "microsoft.storage/storageaccounts",
+  "Description": "Azure Storage accounts use **customer-managed keys** (`CMK`) from **Key Vault/Managed HSM** for service-side encryption of data at rest, rather than platform-managed keys (`encryption_type`=`Microsoft.Keyvault`).",
+  "Risk": "Without **CMK**, keys are provider-controlled, reducing **confidentiality** and governance.\n- Cannot promptly revoke access during incidents\n- No custom rotation or separation of duties\n- Limited key-use auditing\nThis weakens data sovereignty and hinders effective crypto-shredding.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.linkedin.com/pulse/customer-managed-keys-cmk-azure-microsoft-365-aws-google-kulkarni-3ra4f",
+    "https://docs.prowler.com/checks/azure/azure-general-policies/ensure-that-storage-accounts-use-customer-managed-key-for-encryption#terraform",
+    "https://www.serverlessnotes.com/docs/using-customer-managed-keys-for-encrypting-azure-storage-account",
+    "https://azure.github.io/eu-digital-covid-certificates-reference-architecture/deep-dives/cmk/",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/StorageAccounts/cmk-encryption.html",
+    "https://learn.microsoft.com/en-us/azure/storage/common/storage-service-encryption",
+    "https://learn.microsoft.com/en-us/azure/storage/common/customer-managed-keys-overview"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/StorageAccounts/cmk-encryption.html",
-      "Terraform": "https://docs.prowler.com/checks/azure/azure-general-policies/ensure-that-storage-accounts-use-customer-managed-key-for-encryption#terraform"
+      "NativeIaC": "```bicep\n// Configure a Storage Account to use Customer-Managed Keys (CMK)\nresource sa 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: '<example_resource_name>'\n  location: '<location>'\n  sku: { name: 'Standard_LRS' }\n  kind: 'StorageV2'\n  identity: {\n    type: 'SystemAssigned' // CRITICAL: required so the storage account can access the key vault\n  }\n  properties: {\n    encryption: {\n      keySource: 'Microsoft.Keyvault' // CRITICAL: switches encryption to CMK (Prowler checks for this)\n      keyVaultProperties: {\n        keyName: '<key_name>' // required key name\n        keyVaultUri: 'https://<example_resource_name>.vault.azure.net/' // required Key Vault URI\n      }\n    }\n  }\n}\n```",
+      "Other": "1. In the Azure portal, open your Storage account\n2. Go to Settings > Encryption (or Security + networking > Encryption)\n3. Select Customer-managed keys\n4. Click Select a key vault and key, choose your Key Vault and key\n5. If prompted, enable System-assigned managed identity and grant the key permissions get, wrapKey, unwrapKey\n6. Click Save",
+      "Terraform": "```hcl\n# Configure a Storage Account to use Customer-Managed Keys (CMK)\nresource \"azurerm_storage_account\" \"<example_resource_name>\" {\n  name                     = \"<example_resource_name>\"\n  resource_group_name      = \"<example_resource_name>\"\n  location                 = \"<location>\"\n  account_tier             = \"Standard\"\n  account_replication_type = \"LRS\"\n\n  identity {\n    type = \"SystemAssigned\" # CRITICAL: allow storage account to access Key Vault\n  }\n\n  customer_managed_key {\n    key_vault_key_id = \"<example_resource_id>\" # CRITICAL: Key Vault key ID enabling CMK (passes the check)\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys.",
-      "Url": ""
+      "Text": "Adopt **CMK** with keys in Key Vault or Managed HSM. Enforce **least privilege** for the storage identity, regular **key rotation**, and **separation of duties** between key custodians and operators. Audit key usage, enable tamper-resistant key protection (soft-delete/purge protection), and plan for **key revocation/crypto-shredding**.",
+      "Url": "https://hub.prowler.com/check/storage_ensure_encryption_with_customer_managed_keys"
     }
   },
   "Categories": [

prowler/providers/azure/services/storage/storage_ensure_file_shares_soft_delete_is_enabled/storage_ensure_file_shares_soft_delete_is_enabled.metadata.json

@@ -1,29 +1,37 @@
 {
   "Provider": "azure",
   "CheckID": "storage_ensure_file_shares_soft_delete_is_enabled",
-  "CheckTitle": "Ensure soft delete for Azure File Shares is enabled",
+  "CheckTitle": "Storage account has soft delete enabled for file shares",
   "CheckType": [],
   "ServiceName": "storage",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "AzureStorageAccount",
-  "Description": "Ensure that soft delete is enabled for Azure File Shares to protect against accidental or malicious deletion of important data. This feature allows deleted file shares to be retained for a specified period, during which they can be recovered before permanent deletion occurs.",
-  "Risk": "Without soft delete enabled, accidental or malicious deletions of file shares result in permanent data loss, making recovery impossible unless a separate backup mechanism is in place.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/azure/storage/files/storage-files-prevent-file-share-deletion?tabs=azure-portal",
+  "ResourceType": "microsoft.storage/storageaccounts",
+  "Description": "Azure Storage file shares have **soft delete** with a retention period (`days`). The evaluation determines if the storage account's file service has this setting enabled and records the retention duration applied to all shares.",
+  "Risk": "Without **soft delete**, deletions are irreversible, reducing **availability** and **integrity**. Mistakes or insiders can wipe shares, causing outages, data loss, and lengthy restores. Destructive deletes can magnify ransomware impact and block timely recovery.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/azure/storage/files/storage-files-prevent-file-share-deletion?tabs=azure-portal",
+    "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/StorageAccounts/enable-soft-delete-for-file-shares.html",
+    "https://learn.microsoft.com/en-us/azure/storage/files/storage-files-prevent-file-share-deletion",
+    "https://video2.skills-academy.com/en-us/answers/questions/1808621/how-can-i-purge-soft-deleted-data-from-azure-files"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "az storage account file-service-properties update --account-name <storage-account-name> --enable-delete-retention true --delete-retention-days <number-of-days>",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/StorageAccounts/enable-soft-delete-for-file-shares.html",
-      "Terraform": ""
+      "CLI": "az storage account file-service-properties update --resource-group <resource-group> --account-name <storage-account-name> --enable-delete-retention true --delete-retention-days 7",
+      "NativeIaC": "```bicep\n// Enable soft delete for file shares on a storage account\nresource sa 'Microsoft.Storage/storageAccounts@2022-09-01' existing = {\n  name: '<example_resource_name>'\n}\n\nresource fileSvc 'Microsoft.Storage/storageAccounts/fileServices@2022-09-01' = {\n  name: 'default'\n  parent: sa\n  properties: {\n    shareDeleteRetentionPolicy: {\n      enabled: true // CRITICAL: turns on soft delete for all file shares in this storage account\n      days: 7       // required retention period\n    }\n  }\n}\n```",
+      "Other": "1. In the Azure portal, go to Storage accounts and open <storage-account-name>\n2. Under Data storage, select File shares\n3. Set Soft delete to Enabled\n4. Set Retention period (days) to 7\n5. Click Save",
+      "Terraform": "```hcl\n# Enable soft delete for Azure File shares on a storage account\nresource \"azurerm_storage_account\" \"<example_resource_name>\" {\n  name                     = \"<example_resource_name>\"\n  resource_group_name      = \"<example_resource_name>\"\n  location                 = \"<example_resource_name>\"\n  account_tier             = \"Standard\"\n  account_replication_type = \"LRS\"\n\n  share_properties {\n    retention_policy {\n      enabled = true  # CRITICAL: enables soft delete for file shares\n      days    = 7     # required retention period\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable soft delete for file shares on your Azure Storage Account to allow recovery of deleted shares within a configured retention period.",
-      "Url": "https://learn.microsoft.com/en-us/azure/storage/files/storage-files-prevent-file-share-deletion?tabs=azure-portal"
+      "Text": "Enable **soft delete** for all Azure file shares and choose a retention window aligned to `RPO/RTO` and data criticality (e.g., `7-90` days). Apply **least privilege** to delete actions, layer **snapshots/backup** for defense in depth, consider **resource locks**, and monitor delete events for misuse.",
+      "Url": "https://hub.prowler.com/check/storage_ensure_file_shares_soft_delete_is_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "resilience"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/azure/services/storage/storage_ensure_minimum_tls_version_12/storage_ensure_minimum_tls_version_12.metadata.json

@@ -1,26 +1,35 @@
 {
   "Provider": "azure",
   "CheckID": "storage_ensure_minimum_tls_version_12",
-  "CheckTitle": "Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'",
+  "CheckTitle": "Storage account minimum TLS version is 1.2",
   "CheckType": [],
   "ServiceName": "storage",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "AzureStorageAccount",
-  "Description": "Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'",
-  "Risk": "TLS versions 1.0 and 1.1 are known to be susceptible to certain Common Vulnerabilities and Exposures (CVE) weaknesses and attacks such as POODLE and BEAST",
+  "ResourceType": "microsoft.storage/storageaccounts",
+  "Description": "**Azure Storage accounts** enforce a `minimum TLS version` of `1.2` for client connections to data services",
+  "Risk": "Allowing TLS `1.0`/`1.1` enables protocol downgrades and exploitation of known flaws (e.g., BEAST), weakening **confidentiality** and **integrity**. Attackers can intercept or modify data in transit and harvest credentials via weakened cipher suites.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://stackoverflow.com/questions/75672537/azure-storage-minimum-tls-version-1-2-not-enforced-in-protocol-layer",
+    "https://docs.prowler.com/checks/azure/azure-storage-policies/bc_azr_storage_2",
+    "https://www.bundle.app/en/technology/azure-blob-and-file-storage-for-it-testing-and-training-environment-7959B94F-B593-44AB-BFC5-DD1D2F59A525",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/StorageAccounts/minimum-tls-version.html",
+    "https://docs.prowler.com/checks/azure/azure-storage-policies/bc_azr_storage_2#terraform",
+    "https://dev.to/ifeoma_onyegbumark/how-to-configure-simple-settings-in-the-storage-account-on-azure-14bm",
+    "https://blog.tyang.org/2025/02/10/updated-azure-policy-for-storage-minimum-tls-ver"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://docs.prowler.com/checks/azure/azure-storage-policies/bc_azr_storage_2",
-      "Terraform": "https://docs.prowler.com/checks/azure/azure-storage-policies/bc_azr_storage_2#terraform"
+      "CLI": "az storage account update --resource-group <RESOURCE_GROUP> --name <STORAGE_ACCOUNT_NAME> --min-tls-version TLS1_2",
+      "NativeIaC": "```bicep\n// Storage account with minimum TLS 1.2\nresource sa 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: '<example_resource_name>'\n  location: resourceGroup().location\n  kind: 'StorageV2'\n  sku: {\n    name: 'Standard_LRS'\n  }\n  properties: {\n    minimumTlsVersion: 'TLS1_2' // CRITICAL: Enforces minimum TLS 1.2 to pass the check\n  }\n}\n```",
+      "Other": "1. In the Azure Portal, go to Storage accounts and open your account\n2. Select Settings > Configuration\n3. Set Minimum TLS version to Version 1.2\n4. Click Save",
+      "Terraform": "```hcl\n# Storage account with minimum TLS 1.2\nresource \"azurerm_storage_account\" \"<example_resource_name>\" {\n  name                     = \"<example_resource_name>\"\n  resource_group_name      = \"<example_resource_name>\"\n  location                 = \"<example_location>\"\n  account_tier             = \"Standard\"\n  account_replication_type = \"LRS\"\n\n  min_tls_version = \"TLS1_2\" # CRITICAL: Enforces minimum TLS 1.2 to pass the check\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure that all your Microsoft Azure Storage accounts are using the latest available version of the TLS protocol.",
-      "Url": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/StorageAccounts/minimum-tls-version.html"
+      "Text": "Set the storage account `minimum TLS version` to at least `1.2` (prefer `1.3` where supported) and disable legacy protocols. Apply **defense in depth** by restricting network access, using **least privilege** credentials, and monitoring handshake failures to identify outdated clients.",
+      "Url": "https://hub.prowler.com/check/storage_ensure_minimum_tls_version_12"
     }
   },
   "Categories": [

prowler/providers/azure/services/storage/storage_ensure_private_endpoints_in_storage_accounts/storage_ensure_private_endpoints_in_storage_accounts.metadata.json

@@ -1,30 +1,42 @@
 {
   "Provider": "azure",
   "CheckID": "storage_ensure_private_endpoints_in_storage_accounts",
-  "CheckTitle": "Ensure Private Endpoints are used to access Storage Accounts",
+  "CheckTitle": "Storage account has private endpoint connections",
   "CheckType": [],
   "ServiceName": "storage",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "AzureStorageAccount",
-  "Description": "Use private endpoints for your Azure Storage accounts to allow clients and services to securely access data located over a network via an encrypted Private Link. To do this, the private endpoint uses an IP address from the VNet for each service. Network traffic between disparate services securely traverses encrypted over the VNet. This VNet can also link addressing space, extending your network and accessing resources on it. Similarly, it can be a tunnel through public networks to connect remote infrastructures together. This creates further security through segmenting network traffic and preventing outside sources from accessing it.",
-  "Risk": "Storage accounts that are not configured to use Private Endpoints are accessible over the public internet. This can lead to data exfiltration and other security issues.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/azure/storage/common/storage-private-endpoints",
+  "ResourceType": "microsoft.storage/storageaccounts",
+  "Description": "**Azure Storage accounts** are evaluated for the presence of **Private Endpoint** connections. When configured, traffic flows over a VNet private IP via Private Link; when absent, access occurs through the storage account's public endpoint.",
+  "Risk": "Relying on the **public endpoint** widens exposure:\n- Confidentiality: higher risk of key/SAS compromise and unauthorized reads\n- Integrity: abused creds enable writes/deletes\n- Availability: subject to DDoS and internet scanning\nIt can also bypass egress controls, easing covert data exfiltration.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.microsoft.com/en-us/azure/storage/common/storage-private-endpoints",
+    "https://learn.microsoft.com/en-in/answers/questions/5538202/create-azure-private-endpoint-for-all-blob-storage",
+    "https://learn.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-storage-portal",
+    "https://learn.microsoft.com/en-us/answers/questions/1348088/azure-private-endpoints-effect-on-unity-catalog",
+    "https://learn.microsoft.com/en-us/azure/storage/common/storage-private-endpoints",
+    "https://blog.mashfords.com/2020/03/13/private-endpoints-for-azure-storage-are-now-generally-available/",
+    "https://learn.microsoft.com/en-us/answers/questions/659055/private-endpoint-to-azure-blob-storage-from-on-pre",
+    "https://learn.microsoft.com/en-us/azure/storage/files/storage-files-networking-endpoints",
+    "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/StorageAccounts/private-endpoints.html#"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/StorageAccounts/private-endpoints.html#",
-      "Terraform": ""
+      "NativeIaC": "```bicep\n// Create a Private Endpoint for a Storage Account to add a private endpoint connection (PASS)\nparam storageAccountId string  // ID of Microsoft.Storage/storageAccounts\nparam subnetId string          // ID of the subnet to host the Private Endpoint\n\nresource pe 'Microsoft.Network/privateEndpoints@2023-05-01' = {\n  name: '<example_resource_name>'\n  location: resourceGroup().location\n  properties: {\n    subnet: { id: subnetId }\n    privateLinkServiceConnections: [\n      {\n        name: 'conn'\n        properties: {\n          privateLinkServiceId: storageAccountId  // Critical: links the Private Endpoint to the storage account\n          groupIds: ['blob']                      // Critical: targets Blob subresource, creating the private endpoint connection\n        }\n      }\n    ]\n  }\n}\n```",
+      "Other": "1. In Azure Portal, go to Storage accounts > select your account\n2. Under Security + networking, choose Networking > Private endpoint connections\n3. Click + Private endpoint > Create\n4. Resource type: Microsoft.Storage/storageAccounts; Resource: your account; Target subresource: blob\n5. Select the Virtual network and Subnet, then Review + create > Create",
+      "Terraform": "```hcl\n# Create a Private Endpoint for a Storage Account to add a private endpoint connection (PASS)\nvariable \"resource_group_name\" { type = string }\nvariable \"location\" { type = string }\nvariable \"subnet_id\" { type = string }\nvariable \"storage_account_id\" { type = string }\n\nresource \"azurerm_private_endpoint\" \"<example_resource_name>\" {\n  name                = \"<example_resource_name>\"\n  resource_group_name = var.resource_group_name\n  location            = var.location\n  subnet_id           = var.subnet_id\n\n  private_service_connection {\n    name                           = \"conn\"\n    private_connection_resource_id = var.storage_account_id  # Critical: links to the storage account\n    subresource_names              = [\"blob\"]                # Critical: targets Blob subresource to create the connection\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Use Private Endpoints to access Storage Accounts",
-      "Url": "https://docs.microsoft.com/en-us/azure/storage/common/storage-private-endpoints"
+      "Text": "Prefer **Private Endpoints** for storage access and minimize public exposure:\n- Limit or disable `Public network access`\n- Use private DNS so names resolve to private IPs\n- Enforce **least privilege** and **defense in depth** with segmentation and logging\n- Monitor access and rotate keys/SAS *as part of routine hygiene*.",
+      "Url": "https://hub.prowler.com/check/storage_ensure_private_endpoints_in_storage_accounts"
     }
   },
   "Categories": [
-    "encryption"
+    "internet-exposed",
+    "trust-boundaries"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/azure/services/storage/storage_ensure_soft_delete_is_enabled/storage_ensure_soft_delete_is_enabled.metadata.json

@@ -1,30 +1,35 @@
 {
   "Provider": "azure",
   "CheckID": "storage_ensure_soft_delete_is_enabled",
-  "CheckTitle": "Ensure Soft Delete is Enabled for Azure Containers and Blob Storage",
+  "CheckTitle": "Storage account has soft delete for containers enabled",
   "CheckType": [],
   "ServiceName": "storage",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "AzureStorageAccount",
-  "Description": "The Azure Storage blobs contain data like ePHI or Financial, which can be secret or personal. Data that is erroneously modified or deleted by an application or other storage account user will cause data loss or unavailability.",
-  "Risk": "Containers and Blob Storage data can be incorrectly deleted. An attacker/malicious user may do this deliberately in order to cause disruption. Deleting an Azure Storage blob causes immediate data loss. Enabling this configuration for Azure storage ensures that even if blobs/data were deleted from the storage account, Blobs/data objects are recoverable for a particular time which is set in the Retention policies ranging from 7 days to 365 days.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/azure/storage/blobs/soft-delete-blob-enable?tabs=azure-portal",
+  "ResourceType": "microsoft.storage/storageaccounts",
+  "Description": "Azure Storage accounts have **container soft delete** enabled via a retention policy that keeps deleted containers for a set period.",
+  "Risk": "Without this, container deletions are permanent, reducing **availability** and **integrity**. A compromised user or faulty automation could erase entire datasets, forcing slow restores from backups and extending RTO/RPO, with potential downstream app outages.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/StorageAccounts/enable-soft-delete.html#",
+    "https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-soft-delete",
+    "https://learn.microsoft.com/en-us/azure/storage/blobs/soft-delete-blob-enable?tabs=azure-portal"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/StorageAccounts/enable-soft-delete.html#",
-      "Terraform": ""
+      "CLI": "az storage account blob-service-properties update --resource-group <example_resource_name> --account-name <example_resource_name> --enable-container-delete-retention true --container-delete-retention-days 7",
+      "NativeIaC": "```bicep\n// Enable container soft delete on the storage account\nresource blobService 'Microsoft.Storage/storageAccounts/blobServices@2023-04-01' = {\n  name: '<example_resource_name>/default'\n  properties: {\n    containerDeleteRetentionPolicy: {\n      enabled: true // Critical: enables soft delete for containers\n      days: 7       // Required when enabled\n    }\n  }\n}\n```",
+      "Other": "1. In the Azure portal, go to Storage accounts and open <storage account>\n2. Under Data management, select Data protection\n3. In the Containers section, turn on Soft delete for containers and set Retention (days) to a value (e.g., 7)\n4. Click Save",
+      "Terraform": "```hcl\n# Enable container soft delete on the storage account\nresource \"azurerm_storage_account\" \"<example_resource_name>\" {\n  name                     = \"<example_resource_name>\"\n  resource_group_name      = \"<example_resource_name>\"\n  location                 = \"<example_resource_name>\"\n  account_tier             = \"Standard\"\n  account_replication_type = \"LRS\"\n\n  blob_properties {\n    container_delete_retention_policy {\n      enabled = true  # Critical: enables soft delete for containers\n      days    = 7     # Required when enabled\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "From the Azure home page, open the hamburger menu in the top left or click on the arrow pointing right with 'More services' underneath. 2. Select Storage. 3. Select Storage Accounts. 4. For each Storage Account, navigate to Data protection in the left scroll column. 5. Check soft delete for both blobs and containers. Set the retention period to a sufficient length for your organization",
-      "Url": "https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-soft-delete"
+      "Text": "Enable **container soft delete** and choose a retention window (`7-365` days) that meets your RPO. Pair with **blob soft delete** and **versioning** for layered recovery. Enforce **least privilege** on delete actions and apply resource **locks** to prevent destructive changes.",
+      "Url": "https://hub.prowler.com/check/storage_ensure_soft_delete_is_enabled"
     }
   },
   "Categories": [
-    "encryption"
+    "resilience"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/azure/services/storage/storage_geo_redundant_enabled/storage_geo_redundant_enabled.metadata.json

@@ -1,29 +1,40 @@
 {
   "Provider": "azure",
   "CheckID": "storage_geo_redundant_enabled",
-  "CheckTitle": "Ensure geo-redundant storage (GRS) is enabled on critical Azure Storage Accounts",
+  "CheckTitle": "Azure Storage account uses geo-redundant replication (GRS, GZRS, RA-GRS, or RA-GZRS)",
   "CheckType": [],
   "ServiceName": "storage",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "high",
-  "ResourceType": "AzureStorageAccount",
-  "Description": "Geo-redundant storage (GRS) must be enabled on critical Azure Storage Accounts to ensure data durability and availability in the event of a regional outage. GRS replicates data within the primary region and asynchronously to a secondary region, offering enhanced resilience and supporting disaster recovery strategies.",
-  "Risk": "Without GRS, critical data may be lost or become unavailable during a regional outage, compromising data durability and disaster recovery efforts.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/azure/storage/common/storage-redundancy",
+  "Severity": "medium",
+  "ResourceType": "microsoft.storage/storageaccounts",
+  "Description": "**Azure Storage accounts** configured for **geo-redundant replication** via `Standard_GRS`, `Standard_GZRS`, `Standard_RAGRS`, or `Standard_RAGZRS`.\n\nThe setting indicates data is copied to a paired secondary region, with `RA-*` allowing read access during primary-region unavailability.",
+  "Risk": "Absent **geo-replication**, data resides in one region, undermining **availability** and **durability** during regional failures. Disasters can cause prolonged downtime or unrecoverable loss. With geo-replication but without `RA-*`, the secondary is unreadable, increasing RTO and interrupting business continuity.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/StorageAccounts/enable-geo-redundant-storage.html",
+    "https://docs.azure.cn/en-us/storage/common/storage-redundancy",
+    "https://www.linkedin.com/learning/manage-storage-in-azure/disaster-recovery-and-failover",
+    "https://learn.microsoft.com/en-us/azure/storage/common/storage-redundancy",
+    "https://stackoverflow.com/questions/73270760/azure-how-to-specify-the-secondary-region-for-geo-redundant-storage/73271195",
+    "https://www.ais.com/how-to-choose-the-right-kind-of-azure-storage-account/",
+    "https://learn.microsoft.com/en-us/azure/storage/common/redundancy-migration"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "az storage account update --name <storage-account-name> --resource-group <resource-group-name> --sku Standard_GRS",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/StorageAccounts/enable-geo-redundant-storage.html",
-      "Terraform": ""
+      "NativeIaC": "```bicep\n// Storage account with geo-redundant replication enabled\nresource sa 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: '<example_resource_name>'\n  location: '<example_location>'\n  kind: 'StorageV2'\n  sku: {\n    name: 'Standard_GRS' // Critical: enables geo-redundant replication (GRS) to pass the check\n  }\n}\n```",
+      "Other": "1. In the Azure portal, go to Storage accounts and open your storage account\n2. Under Data management, select Redundancy\n3. Change Redundancy to GRS, GZRS, RA-GRS, or RA-GZRS\n4. Click Save",
+      "Terraform": "```hcl\nresource \"azurerm_storage_account\" \"example\" {\n  name                     = \"<example_resource_name>\"\n  resource_group_name      = \"<example_resource_group_name>\"\n  location                 = \"<example_location>\"\n  account_tier             = \"Standard\"\n  account_replication_type = \"GRS\" # Critical: enables geo-redundant replication to pass the check\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable geo-redundant storage (GRS) for critical Azure Storage Accounts to ensure data durability and availability across regional failures.",
-      "Url": "https://learn.microsoft.com/en-us/azure/storage/common/storage-redundancy"
+      "Text": "Adopt **GRS/GZRS** for critical workloads (prefer `Standard_GZRS` where supported) to achieve cross-region resilience. *If read continuity is required*, use `Standard_RAGRS` or `Standard_RAGZRS`. Define RPO/RTO, regularly test failover, and design for **defense in depth** across regions and zones.",
+      "Url": "https://hub.prowler.com/check/storage_geo_redundant_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "resilience"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/azure/services/storage/storage_infrastructure_encryption_is_enabled/storage_infrastructure_encryption_is_enabled.metadata.json

@@ -1,26 +1,33 @@
 {
   "Provider": "azure",
   "CheckID": "storage_infrastructure_encryption_is_enabled",
-  "CheckTitle": "Ensure that 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage is Set to 'enabled' ",
+  "CheckTitle": "Storage account has infrastructure encryption enabled",
   "CheckType": [],
   "ServiceName": "storage",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "low",
-  "ResourceType": "AzureRole",
-  "Description": "Ensure that 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage is Set to 'enabled' ",
-  "Risk": "Double encryption of Azure Storage data protects against a scenario where one of the encryption algorithms or keys may be compromised",
+  "Severity": "medium",
+  "ResourceType": "microsoft.storage/storageaccounts",
+  "Description": "Azure Storage accounts have **infrastructure encryption** enabled, providing **double encryption at rest** alongside service-level encryption (`requireInfrastructureEncryption=true`).",
+  "Risk": "Without this second layer, compromise of the service-level key or algorithm can expose stored data, degrading **confidentiality** and weakening **defense in depth**. Insider misuse or key theft is more likely to yield readable blobs, files, or tables.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/StorageAccounts/infrastructure-encryption.html",
+    "https://stackoverflow.com/questions/65136408/how-to-get-azure-storage-account-infrastructure-encryption-status-in-powershell",
+    "https://learn.microsoft.com/en-us/azure/storage/common/infrastructure-encryption-enable",
+    "https://anishantony.medium.com/azure-storage-account-setup-and-configurations-82b970ede17f",
+    "https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/storage/common/infrastructure-encryption-enable.md"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "NativeIaC": "```bicep\n// Storage account with infrastructure encryption enabled\nresource sa 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: '<example_resource_name>'\n  location: '<location>'\n  sku: {\n    name: 'Standard_LRS'\n  }\n  kind: 'StorageV2'\n  properties: {\n    encryption: {\n      keySource: 'Microsoft.Storage'\n      requireInfrastructureEncryption: true // Critical: enables infrastructure-level encryption (double encryption)\n    }\n  }\n}\n```",
+      "Other": "1. In Azure Portal, go to Storage accounts and click Create\n2. Choose a supported type (StorageV2 or a premium blob/page/file account)\n3. Open the Encryption tab and set Enable infrastructure encryption to Enabled\n4. Click Review + create, then Create\n5. Migrate data from the old account to this new account and decommission the old one (infrastructure encryption cannot be enabled on existing accounts)",
+      "Terraform": "```hcl\n# Storage account with infrastructure encryption enabled\nresource \"azurerm_storage_account\" \"<example_resource_name>\" {\n  name                     = \"<example_resource_name>\"\n  resource_group_name      = \"<example_resource_name>\"\n  location                 = \"<location>\"\n  account_tier             = \"Standard\"\n  account_replication_type = \"LRS\"\n\n  infrastructure_encryption_enabled = true # Critical: enables infrastructure-level encryption (double encryption)\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enabling double encryption at the hardware level on top of the default software encryption for Storage Accounts accessing Azure storage solutions.",
-      "Url": ""
+      "Text": "Enable **infrastructure encryption** for accounts or scopes handling sensitive data to strengthen **defense in depth**. Plan it at creation, as the setting is immutable. Maintain strong key hygiene for service-level encryption (use CMK where appropriate, rotate, restrict access) and enforce guardrails with policy.",
+      "Url": "https://hub.prowler.com/check/storage_infrastructure_encryption_is_enabled"
     }
   },
   "Categories": [

prowler/providers/azure/services/storage/storage_key_rotation_90_days/storage_key_rotation_90_days.metadata.json

@@ -1,30 +1,35 @@
 {
   "Provider": "azure",
   "CheckID": "storage_key_rotation_90_days",
-  "CheckTitle": "Ensure that Storage Account Access Keys are Periodically Regenerated",
+  "CheckTitle": "Storage account has access key expiration period set to 90 days or less",
   "CheckType": [],
   "ServiceName": "storage",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "AzureStorageAccount",
-  "Description": "Ensure that Storage Account Access Keys are Periodically Regenerated",
-  "Risk": "If the access keys are not regenerated periodically, the likelihood of accidental exposures increases, which can lead to unauthorized access to your storage account resources.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal",
+  "ResourceType": "microsoft.storage/storageaccounts",
+  "Description": "Azure Storage accounts must define a `key expiration period` for access-key rotation, with a maximum of `90` days. The evaluation looks for accounts lacking this setting or exceeding that limit.",
+  "Risk": "Long-lived storage access keys undermine **confidentiality** and **integrity**: a leaked or reused key grants full data access and can sign SAS tokens. Extended validity enables persistent unauthorized access, data exfiltration, and tampering, and complicates revocation and incident response.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal",
+    "https://learn.microsoft.com/en-us/azure/storage/common/storage-account-create?tabs=azure-portal#regenerate-storage-access-keys",
+    "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/StorageAccounts/regenerate-storage-account-access-keys-periodically.html#"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/StorageAccounts/regenerate-storage-account-access-keys-periodically.html#",
-      "Terraform": ""
+      "CLI": "az storage account update --name <STORAGE_ACCOUNT_NAME> --resource-group <RESOURCE_GROUP_NAME> --key-exp-days 90",
+      "NativeIaC": "```bicep\n// Set key expiration period to 90 days or less\nresource stg 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: '<example_resource_name>'\n  location: resourceGroup().location\n  sku: { name: 'Standard_LRS' }\n  kind: 'StorageV2'\n  properties: {\n    keyPolicy: {\n      keyExpirationPeriodInDays: 90 // CRITICAL: enforces rotation reminder at 90 days to pass the check\n    }\n  }\n}\n```",
+      "Other": "1. In the Azure portal, go to your storage account\n2. Navigate to Security + networking > Access keys\n3. Click Set rotation reminder\n4. Enable key rotation reminders and set the period to 90 days or less\n5. Click Save\n6. If Set rotation reminder is disabled, first regenerate both keys (Regenerate for key1, then key2), then repeat steps 3-5",
+      "Terraform": "```hcl\nresource \"azurerm_storage_account\" \"<example_resource_name>\" {\n  name                     = \"<example_resource_name>\"\n  resource_group_name      = \"<example_resource_name>\"\n  location                 = \"<example_resource_name>\"\n  account_tier             = \"Standard\"\n  account_replication_type = \"LRS\"\n\n  key_policy {\n    key_expiration_period_in_days = 90 # CRITICAL: sets key expiration period to 90 days to pass the check\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure that Azure Storage account access keys are regenerated every 90 days in order to decrease the likelihood of accidental exposures and protect your storage account resources against unauthorized access.",
-      "Url": "https://learn.microsoft.com/en-us/azure/storage/common/storage-account-create?tabs=azure-portal#regenerate-storage-access-keys"
+      "Text": "Enforce a `key expiration period` of `<= 90` days and automate rotation. Prefer **Microsoft Entra ID** with managed identities over Shared Key; when SAS is needed, use user-delegation SAS. Apply **least privilege**, minimize key distribution, monitor usage, rotate on suspected exposure, and disable Shared Key when feasible.",
+      "Url": "https://hub.prowler.com/check/storage_key_rotation_90_days"
     }
   },
   "Categories": [
-    "encryption"
+    "secrets"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/azure/services/storage/storage_secure_transfer_required_is_enabled/storage_secure_transfer_required_is_enabled.metadata.json

@@ -1,26 +1,30 @@
 {
   "Provider": "azure",
   "CheckID": "storage_secure_transfer_required_is_enabled",
-  "CheckTitle": "Ensure that all data transferred between clients and your Azure Storage account is encrypted using the HTTPS protocol.",
+  "CheckTitle": "Storage account has secure transfer required enabled",
   "CheckType": [],
   "ServiceName": "storage",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "AzureStorageAccount",
-  "Description": "Ensure that all data transferred between clients and your Azure Storage account is encrypted using the HTTPS protocol.",
-  "Risk": "Requests to the storage account sent outside of a secure connection can be eavesdropped",
+  "Severity": "high",
+  "ResourceType": "microsoft.storage/storageaccounts",
+  "Description": "**Azure Storage accounts** are evaluated for **secure transfer enforcement**, requiring all client requests to use `HTTPS` only (`enableHttpsTrafficOnly`) and blocking `HTTP`.",
+  "Risk": "Allowing `HTTP` to storage endpoints enables **man-in-the-middle** and **TLS-stripping** attacks.\nIntercepted traffic can expose credentials, SAS tokens, or data (**confidentiality**) and allow request tampering (**integrity**), leading to unauthorized access and **data exfiltration**.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/StorageAccounts/secure-transfer-required.html",
+    "https://docs.prowler.com/checks/azure/azure-networking-policies/ensure-that-storage-account-enables-secure-transfer"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "az storage account update --name <STORAGE_ACCOUNT_NAME> --https-only true",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/StorageAccounts/secure-transfer-required.html",
-      "Terraform": "https://docs.prowler.com/checks/azure/azure-networking-policies/ensure-that-storage-account-enables-secure-transfer"
+      "CLI": "az storage account update -g <RESOURCE_GROUP> -n <STORAGE_ACCOUNT_NAME> --https-only true",
+      "NativeIaC": "```bicep\n// Enable secure transfer (HTTPS only) on a Storage Account\nresource <example_resource_name> 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: '<example_resource_name>'\n  location: '<location>'\n  sku: { name: 'Standard_LRS' }\n  kind: 'StorageV2'\n  properties: {\n    supportsHttpsTrafficOnly: true // Critical: require HTTPS-only (secure transfer)\n  }\n}\n```",
+      "Other": "1. In Azure Portal, go to Storage accounts and select the account\n2. Under Settings, open Configuration\n3. Set Secure transfer required to Enabled\n4. Click Save",
+      "Terraform": "```hcl\n# Enable secure transfer (HTTPS only) on a Storage Account\nresource \"azurerm_storage_account\" \"<example_resource_name>\" {\n  name                     = \"<example_resource_name>\"\n  resource_group_name      = \"<example_resource_name>\"\n  location                 = \"<location>\"\n  account_tier             = \"Standard\"\n  account_replication_type = \"LRS\"\n\n  enable_https_traffic_only = true # Critical: require HTTPS-only (secure transfer)\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable data encryption in transit.",
-      "Url": ""
+      "Text": "Enforce **HTTPS-only** on all storage accounts (`enableHttpsTrafficOnly`) and use modern TLS.\nApply **least privilege** to SAS and keys, rotate if exposure is suspected, and use **defense in depth**: prefer private endpoints, restrict public access, block `HTTP` at network controls, and ensure all clients use `https://` endpoints.",
+      "Url": "https://hub.prowler.com/check/storage_secure_transfer_required_is_enabled"
     }
   },
   "Categories": [

prowler/providers/azure/services/storage/storage_smb_channel_encryption_with_secure_algorithm/storage_smb_channel_encryption_with_secure_algorithm.metadata.json

@@ -1,29 +1,39 @@
 {
   "Provider": "azure",
   "CheckID": "storage_smb_channel_encryption_with_secure_algorithm",
-  "CheckTitle": "Ensure SMB channel encryption uses a secure algorithm for SMB file shares",
+  "CheckTitle": "Storage account uses AES-256-GCM for SMB channel encryption on file shares",
   "CheckType": [],
   "ServiceName": "storage",
   "SubServiceName": "",
-  "ResourceIdTemplate": "/subscriptions/{subscription_id}/resourceGroups/{resource_group}/providers/Microsoft.Storage/storageAccounts/{storageAccountName}/fileServices/default",
-  "Severity": "medium",
-  "ResourceType": "AzureStorageAccount",
-  "Description": "Implement SMB channel encryption with a secure algorithm for SMB file shares to ensure data confidentiality and integrity in transit.",
-  "Risk": "Not using the recommended SMB channel encryption may expose data transmitted over SMB channels to unauthorized interception and tampering.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/azure/well-architected/service-guides/azure-files#recommendations-for-smb-file-shares",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "microsoft.storage/storageaccounts",
+  "Description": "**Azure Files SMB shares** are evaluated for **SMB channel encryption** and whether the allowed ciphers include the recommended `AES-256-GCM`.\n\nThis identifies if encryption is configured and a secure algorithm is present in the SMB settings for file shares within the storage account.",
+  "Risk": "Missing or weak SMB channel encryption undermines **confidentiality** and **integrity**. On-path attackers could read sensitive files, capture hashes, or modify data in transit. Allowing legacy ciphers increases downgrade risks and can facilitate **lateral movement**, eroding trust boundaries across networks.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/StorageAccounts/check-for-smb-channel-encryption-type.html",
+    "https://stackoverflow.com/questions/78870070/azure-container-app-jobs-accessing-azure-files-fails-with-mount-error13-perm",
+    "https://learn.microsoft.com/en-us/azure/storage/files/files-smb-protocol?tabs=azure-portal#smb-security-settings",
+    "https://video2.skills-academy.com/en-us/azure/storage/files/files-smb-protocol",
+    "https://learn.microsoft.com/en-us/azure/well-architected/service-guides/azure-files#recommendations-for-smb-file-shares",
+    "https://stackit.news.blog/2021/09/04/general-availability-azure-files-now-supports-smb-3-1-1/"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "az storage account file-service-properties update --resource-group <resource-group> --account-name <storage-account> --channel-encryption AES-256-GCM",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "NativeIaC": "```bicep\n// Bicep: enforce AES-256-GCM for SMB channel encryption on the storage account's File Service\nresource sa 'Microsoft.Storage/storageAccounts@2023-01-01' existing = {\n  name: '<example_resource_name>'\n}\n\nresource fileService 'Microsoft.Storage/storageAccounts/fileServices@2023-01-01' = {\n  name: 'default'\n  parent: sa\n  properties: {\n    protocolSettings: {\n      smb: {\n        channelEncryption: [ 'AES-256-GCM' ] // CRITICAL: Allows AES-256-GCM for SMB channel encryption to pass the check\n      }\n    }\n  }\n}\n```",
+      "Other": "1. In the Azure portal, open your storage account\n2. Go to Data storage > File shares\n3. Under File share settings, click Security\n4. Select Custom\n5. Under SMB channel encryption, select AES-256-GCM\n6. Click Save",
+      "Terraform": "```hcl\n# Set SMB channel encryption to AES-256-GCM on the storage account\nresource \"azurerm_storage_account\" \"<example_resource_name>\" {\n  name                     = \"<example_resource_name>\"\n  resource_group_name      = \"<example_resource_name>\"\n  location                 = \"<example_location>\"\n  account_tier             = \"Standard\"\n  account_replication_type = \"LRS\"\n\n  share_properties {\n    smb {\n      channel_encryption_type = \"AES256_GCM\" # CRITICAL: Enables AES-256-GCM for SMB channel encryption\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Use the portal, CLI or PowerShell to set the SMB channel encryption to a secure algorithm.",
-      "Url": "https://learn.microsoft.com/en-us/azure/storage/files/files-smb-protocol?tabs=azure-portal#smb-security-settings"
+      "Text": "Enforce **defense in depth** by restricting SMB channel encryption to `AES-256-GCM` on SMB `3.1.1`, removing weaker options.\n\n- Prefer private access (private endpoints/VPN)\n- Require secure transfer and modern TLS\n- Apply **least privilege** on shares\n- Validate client support and monitor connections during rollout",
+      "Url": "https://hub.prowler.com/check/storage_smb_channel_encryption_with_secure_algorithm"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "encryption"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": "This check passes if SMB channel encryption is set to a secure algorithm."

prowler/providers/azure/services/storage/storage_smb_protocol_version_is_latest/storage_smb_protocol_version_is_latest.metadata.json

@@ -1,29 +1,35 @@
 {
   "Provider": "azure",
   "CheckID": "storage_smb_protocol_version_is_latest",
-  "CheckTitle": "Ensure SMB protocol version for file shares is set to the latest version.",
+  "CheckTitle": "Storage account allows only the latest SMB protocol version for file shares",
   "CheckType": [],
   "ServiceName": "storage",
   "SubServiceName": "",
-  "ResourceIdTemplate": "/subscriptions/{subscription_id}/resourceGroups/{resource_group}/providers/Microsoft.Storage/storageAccounts/{storageAccountName}/fileServices/default",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "AzureStorageAccount",
-  "Description": "Ensure that SMB file shares are configured to use only the latest SMB protocol version.",
-  "Risk": "Allowing older SMB protocol versions may expose file shares to known vulnerabilities and security risks.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/azure/storage/files/files-smb-protocol#smb-security-settings",
+  "ResourceType": "microsoft.storage/storageaccounts",
+  "Description": "**Azure Storage file shares (SMB)** are configured to allow **only the latest SMB protocol version**, blocking legacy SMB versions at the storage account level",
+  "Risk": "Allowing legacy SMB versions enables **protocol downgrade** and weak cipher negotiation, reducing **confidentiality** and **integrity**. Adversaries can intercept or alter traffic, bypass strong signing/encryption, and exploit known flaws for lateral movement or credential replay",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/azure/storage/files/files-smb-protocol#smb-security-settings",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/StorageAccounts/latest-smb-protocol-version.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "az storage account file-service-properties update --resource-group <resource-group> --account-name <storage-account> --versions <latest-version>",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "az storage account file-service-properties update --resource-group <RESOURCE_GROUP> --account-name <STORAGE_ACCOUNT_NAME> --versions SMB3.1.1",
+      "NativeIaC": "```bicep\n// Set SMB protocol to only the latest version for Azure Files\nresource fileService 'Microsoft.Storage/storageAccounts/fileServices@2023-01-01' = {\n  name: '<example_resource_name>/default'\n  properties: {\n    protocolSettings: {\n      smb: {\n        versions: 'SMB3.1.1' // Critical: allow only SMB 3.1.1 (latest) to pass the check\n      }\n    }\n  }\n}\n```",
+      "Other": "1. In the Azure portal, go to Storage accounts and open your storage account\n2. Navigate to Data storage > File shares\n3. Under File share settings, select Security\n4. Choose Profile: Custom, then under SMB protocol versions select only SMB 3.1.1\n5. Click Save",
+      "Terraform": "```hcl\n# Configure storage account to allow only the latest SMB version for file shares\nresource \"azurerm_storage_account\" \"<example_resource_name>\" {\n  name                     = \"<example_resource_name>\"\n  resource_group_name      = \"<example_resource_name>\"\n  location                 = \"<location>\"\n  account_tier             = \"Standard\"\n  account_replication_type = \"LRS\"\n\n  share_properties {\n    smb {\n      versions = [\"SMB3.1.1\"] # Critical: restrict to only SMB 3.1.1 (latest)\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Configure your Azure Storage Account file shares to allow only the latest SMB protocol version.",
-      "Url": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/StorageAccounts/latest-smb-protocol-version.html"
+      "Text": "Restrict SMB to the newest version (e.g., `SMB 3.1.1`) and disable older versions. Enforce **encryption in transit** and prefer **Kerberos** over NTLM. Validate client compatibility, apply **least privilege** on shares, and monitor access to maintain **defense in depth**",
+      "Url": "https://hub.prowler.com/check/storage_smb_protocol_version_is_latest"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "vulnerabilities"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""