0% found this document useful (0 votes)

394 views135 pages

Azure Storage - ThreatModel

This document provides a data flow diagram of Azure Storage, a MITRE ATT&CK matrix for threat scenarios in Azure Storage, a prioritized list of all threat scenarios, lists of control activities and testing procedures, and a risk-based prioritized list of control implementation.

Uploaded by

Mateusz

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as DOCX, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

394 views135 pages

Azure Storage - ThreatModel

Uploaded by

Mateusz

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as DOCX, PDF, TXT or read online on Scribd

You are on page 1/ 135

ThreatModel for Azure Storage

Introduction
Read the blog: The last Azure Storage security document that we'll ever need.

Content
This publication includes:

- overall data flow diagram of Azure Storage

- overview of the Mitre ATT&CK matrix for Azure Storage

- prioritized list of all threat scenarios

- list of all the control activities and testing procedures

- risk-based prioritized list of control implementation

License Agreement
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. This license allows reusers to distribute, remix, adapt, and build upon the material in any medium or
format, so long as attribution is given to the creator. The license allows for commercial use. If you remix, adapt, or build upon the material, you must license the modified material under identical terms.

Source
The latest version of this work is hosted on GitHub.

Contact
If you have any questions, please contact [email protected].

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 1 / 135
Azure Storage
Security Scorecard
Data Flow Diagram
Security in the Cloud
Number of Actions* 164
Identity management Azure IAM
Number of IAM permissions* 139
DFS ACL, file share ACL,
queue ACL, table ACL,
Resource-based access
storage account access keys,
SAS tokens
VNET security,
Network Filtering
Storage Account Firewall
Encryption-at-rest Yes
Encryption-in-transit Yes
* See details in Appendixes

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 2 / 135
Mitre ATT&CK matrix for Azure Storage

Initial Defense Credential Lateral

Execution Persistence Privilege Escalation Discovery Collection Exfiltration Impact
Access Evasion Access Movement
Infect downstream processes with Privilege escalation by modifying File Privilege escalation using storage DoS due to storage account access
malware [Storage.T12] System ACL [Storage.T6] account access key [Storage.T1] key regeneration [Storage.T2]

Access data using storage account

Distribute malicious files via file Privilege escalation by modifying file access key or SAS token / data Recursively delete DFS directories
share [Storage.T20] share ACL [Storage.T17] leakage due to disclosed SAS token and their content [Storage.T7]
[Storage.T3]

Exfiltrate files via the static website Usage of outdated vulnerable Distribute malicious data by using Unauthorized modification of data
feature [Storage.T22] protocols to access file shares the storage account name [Storage.T4] [Storage.T8]
[Storage.T21]

Distribute non-common malicious

Unauthorized data exposed by Unauthorized data made public Encrypt/overwrite files by
files via storage account bypassing
breaking CORS settings [Storage.T26] [Storage.T5] ransomware in DFS/blob [Storage.T9]
Defender for storage [Storage.T35]

Distribute standard malicious files

Privilege escalation by modifying Exfiltrate data using diagnostic Denial of wallet through file upload
via storage account bypassing
queue ACL [Storage.T27] settings [Storage.T10] to storage account [Storage.T16]
Defender for storage [Storage.T36]

Privilege escalation by modifying Man-in-the-middle attack via any Recursively delete directories and
Disable diagnostic settings [Storage.T41] the content in the file share
table ACL [Storage.T28] storage account endpoint [Storage.T11]
[Storage.T18]

Data loss due to disabling soft Unauthorized access to data via Encrypt files by ransomware in file
deletion [Storage.T39] storage account replication [Storage.T13] shares [Storage.T19]

Data loss due to disabling the Unauthorized access to data by Delete data using Blob Storage
versioning [Storage.T40] direct access to the physical disk lifecycle management [Storage.T25]
[Storage.T14]

Exfiltrate data using different access

DDoS on endpoint [Storage.T29]
method [Storage.T15]

Impacting queues messages integrity

Exfiltrate data using different service or complete data loss of sensitive
[Storage.T23]
data [Storage.T31]

Exfiltrate data using blob inventory DoS on wallet by executing Azure

functionality [Storage.T24] Data Lake Storage query acceleration
[Storage.T34]

Unauthorized access to a sensitive DoS by tampering with encryption at

message [Storage.T32] rest key [Storage.T38]

Modify permissions by adding, Affect data by removing replication

modify or removing tags [Storage.T33] [Storage.T42]

Exfiltrate data by brute force

Bypassing of soft delete by moving
enumeration of items from the
blob to archive tier [Storage.T54]
storage account [Storage.T37]

Privilege escalation by
misconfiguration of NFS endpoint or
by modifying current network
settings [Storage.T43]

Access to data using stolen SFTP

local user credentials [Storage.T44]

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 3 / 135
Usage of outdated vulnerable
libraries to access Azure Storage
account [Storage.T45]

Use of classic Azure Storage account

[Storage.T46]

Exfiltrate data by using compromised

credentials [Storage.T47]

Information disclosure due to

unencrypted blob storage [Storage.T49]

Access to storage account resources

by modifying virtual network rules
[Storage.T50]

Recon of storage environment via

examination of diagnostic logs
[Storage.T53]

Gain access to blob by renaming file

[Storage.T55]

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 4 / 135
Feature Classes
Azure Storage has the following feature classes and subclasses (i.e. dependent on the usage of its class) that can be activated, restricted, or blocked using Microsoft Azure Identity and Access Management.

Feature Relation Description

Azure Storage is Microsoft's Cloud Storage solution for modern data storage scenarios. Azure Storage offers a massively scalable object store for
Storage account class
data objects, a File System service for the cloud, a messaging store for reliable messaging, and a NoSQL store.

When you create a storage account, Azure generates two 512-bit storage account access keys. These keys can be used to authorise access to data
subclass of Storage
Key access feature in your storage account via Shared Key authorization. Microsoft recommends that you use Azure Key Vault to manage your access keys, and that
account
you regularly rotate and regenerate your keys.

subclass of Storage Azure Files offers fully governed file shares in the cloud that are accessible via the industry standard Server Message Block (SMB) protocol or
File shares
account Network File System (NFS) v4.1 protocol.

subclass of Storage Storage insights provide comprehensive monitoring of your Azure Storage accounts by delivering a unified view of your Azure Storage services
Monitoring
account performance, capacity, and availability.

subclass of Storage
Queues Azure Queue Storage is a service for storing large numbers of messages. Access messages via HTTP/S calls.
account

subclass of Storage
Tables The most economic table style storage over the word to store petabytes of semi-structured data and keep costs down.
account

Blob storage, containers, subclass of Storage Object storage solution for storing amounts of unstructured data (blobs), that are accessible via HTTP/S and optionally via the Network File
Data Lake Storage Gen2 account System (NFS) v3 and SFTP protocols.

subclass of Blob storage,

Object replication asynchronously copies block blobs between a source storage account and a destination account. When you configure object
Object replication containers, Data Lake
replication, you create a replication policy that specifies the source storage account and the destination account.
Storage Gen2

subclass of Blob storage, The Azure Storage blob inventory feature provides an overview of your containers, blobs, snapshots, and blob versions within a storage account.
Blob inventory containers, Data Lake Use the inventory report to understand various attributes of blobs and containers such as your total data size, age, encryption status,
Storage Gen2 immutability policy, or legal hold.

subclass of Blob storage,

Azure Blob Storage lifecycle management offers a rich, rule-based policy which you can use to transition your data to the best access tier and to
Blob lifecycle containers, Data Lake
expire data at the end of its lifecycle.
Storage Gen2

subclass of Blob storage,

Blob storage SSH File Blob storage supports the SSH File Transfer Protocol (SFTP). This support lets you securely connect to blob storage via an SFTP endpoint, allowing
containers, Data Lake
Transfer Protocol (SFTP) you to use SFTP for file access, file transfer, and file management.
Storage Gen2

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 5 / 135
Actions and IAM Permissions to deny the feature
Storage account (class, FC1) Action IAM Permission
Azure Storage is Microsoft's Cloud Storage solution for modern data storage scenarios. Azure Storage
Creates a storage account with the specified
offers a massively scalable object store for data objects, a File System service for the cloud, a messaging
parameters, updates the properties or tags, or adds a Microsoft.Storage/storageAccounts/write
store for reliable messaging, and a NoSQL store.
custom domain for the specified storage account.
Data Flow Diagram (DFD)

Threat List
Name CVSS

Exfiltrate data by using compromised credentials High (8.1)

Use of classic Azure Storage account High (8.1)

Usage of outdated vulnerable libraries to access Azure Storage account High (8.1)

Man-in-the-middle attack via any storage account endpoint High (7.1)

DDoS on endpoint Medium (5.9)

Distribute malicious data by using the storage account name Medium (5.2)

Exfiltrate data using different service Medium (4.9)

Distribute non-common malicious files via storage account bypassing Defender for
Medium (4.9)
storage

DoS by tampering with encryption at rest key Medium (4.5)

Infiltrate unauthorized files into storage container Medium (4.3)

Unauthorized data exposed by breaking CORS settings Medium (4.3)

Unauthorized access to data by direct access to the physical disk Medium (4.2)

Access to storage account resources by modifying virtual network rules Low (3.5)

Cross service exploit Low (2.0)

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 6 / 135
Exfiltrate data by using compromised credentials

Threat Id Storage.T47

Name Exfiltrate data by using compromised credentials

An attacker can use compromised but authorized credentials to download your

Description
data.

Goal Data theft

MITRE ATT&CK® TA0010

CVSS High (8.1)

IAM Access {}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

Restrict the use of Shared Key authorization

Very High - 1 -
Block the usage of the storage account access key whenever possible.

Restrict access to the endpoints (where possible disable public endpoint)

Maintain a list of authorized IPs and/or resource instance rules authorized to access each storage account
High 2 1 -
Block requests from unauthorized IPs, including trusted services, logging, and metrics read access (ref).
Prevent access from unauthorized IPs by allowing only authorized IPs using Azure Storage firewall.

Govern the use of Shared Keys and SAS tokens High 4 - -

Maintain a list of authorized IPs to use SAS tokens and their authorized time window.
Ensure SAS tokens allow only authorized IPs, using the sourceIP field and enforcing HTTPS.
Integrate the access to blob, file shares, queues, tables, and DFS via SAS token (generated from account key and/or user delegation key) in the IAM Operating Model, ideally prioritizing AD as the

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 7 / 135
preferred method.
Maintain a revocation plan for any SAS or storage account access keys issued to clients based on requirements. If a SAS is compromised, you must revoke that SAS as soon as possible. To revoke
a user delegation SAS, revoke the user delegation key to invalidate all signatures associated with that key. To revoke a service SAS that is associated with a stored access policy, you can delete the
stored access policy, rename the policy, or change its expiry time to a time that is in the past (ref). To revoke a storage account access key, regenerate the key.
Ensure the revocation plan is in place for any SAS or storage account access key.

Connect via private endpoint

Maintain a list of authorized VNETs for the blob, file shares, queues, tables, DFS, NFS, and SFTP access via a private endpoint.
High 2 1 -
Ensure only authorized VNETs are configured for the blob, file shares, queues, tables, DFS, NFS, and SFTP.
Prevent the use of unauthorized VNETs by the storage account (e.g., by using Azure Policy).

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 8 / 135
Use of classic Azure Storage account

Threat Id Storage.T46

Name Use of classic Azure Storage account

Azure classic Storage Accounts don't support capabilities such as Azure Storage
firewall. An attacker can more easily leverage the lack of controls in an Azure
Description
Storage account to launch an attack and impact the confidentiality, integrity,
and availability of data stored within the account.

Goal Data theft

MITRE ATT&CK® TA0010

CVSS High (8.1)

{
IAM Access "UNIQUE": ["Microsoft.Storage/storageAccounts/write"]
}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

Use StorageV2 accounts only

Azure classic Storage Accounts (Azure ASM resources) should not be in use. Azure Cloud Services (classic) will be retired on 31 August 2024. Classic Storage Accounts depend on Azure Cloud
Services (classic). They will be retired on the same date. Before that date, you'll need to migrate them to Azure Resource Manager, which has new security features.
Monitor for creation of classic Azure Storage accounts (e.g., using activity log Microsoft.Storage/storageAccounts/writeoperation in operationName.value where properties.requestbody contains Very High 2 1 1
either \"kind\":\"Storage\" or "kind\":\"BlobStorage\").
Ensure Storage Accounts are created as StorageV2
Prevent the creation of Storage Accounts that are not StorageV2 (e.g.,by using an Azure Policy in deny mode).

Enforce encryption-at-rest
Maintain a list of blobs created before October 20, 2017 (ideally none). Low 2 - -
Rewrite every blob created before October 20, 2017. You can force encryption to occur immediately by downloading and re-uploading the blob

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 9 / 135
Usage of outdated vulnerable libraries to access Azure Storage account

Threat Id Storage.T45

Name Usage of outdated vulnerable libraries to access Azure Storage account

The blob and queue storage client libraries use AES to encrypt user data. It's
possible to use client-side encryption v1, which is NOT RECOMMENDED due to
Description
a security vulnerability in the client library's implementation of CBC mode. An
attacker can perform a padding oracle attack to decrypt the blob's contents.

Goal Data theft

MITRE ATT&CK® TA0010

CVSS High (8.1)

{
"OR": ["Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
IAM Access "Microsoft.Storage/storageAccounts/queueServices/queues/write"]
}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

Enforce good coding practice

The latest (or latest -1 with no security vulnerabilities) non-preview version of storage software libraries must be used for Storage Accounts. Running on older versions could mean you are not Very Low 1 - -
using the latest security classes. Usage of such old classes and types can make your application vulnerable.

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 10 / 135
Man-in-the-middle attack via any storage account endpoint

Threat Id Storage.T11

Name Man-in-the-middle attack via any storage account endpoint

Storage account endpoints support HTTP/S. An attacker can intercept or

Description modify the traffic via a man-in-the-middle attack (e.g., with a fake certificate to
get and modify data in transit via endpoints).

Goal Data theft

MITRE ATT&CK® TA0010

CVSS High (7.1)

IAM Access {}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

Restrict access to the endpoints (where possible disable public endpoint)

Maintain a list of authorized IPs and/or resource instance rules authorized to access each storage account High 2 - -
Block requests from unauthorized IPs, including trusted services, logging, and metrics read access (ref).

Connect via private endpoint

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 11 / 135
DDoS on endpoint

Threat Id Storage.T29

Name DDoS on endpoint

An attacker can overload a public endpoint with a DDoS attack. If your

Description application approaches or exceeds scalability targets, it may encounter
increased transaction latencies or throttling with 500 errors.

Goal Disruption of Service

MITRE ATT&CK® TA0040

CVSS Medium (5.9)

IAM Access {}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

Restrict access to the endpoints (where possible disable public endpoint)

Connect via private endpoint

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 12 / 135
Distribute malicious data by using the storage account name

Threat Id Storage.T4

Name Distribute malicious data by using the storage account name

Azure Storage account names are globally unique. An attacker can take over an
Description old or existing account name, delete one, and entangle any third party to use
their account to steal or distribute malicious data.

Goal Data theft

MITRE ATT&CK® TA0010

CVSS Medium (5.2)

{
IAM Access "OPTIONAL": "Microsoft.Storage/storageAccounts/delete"
}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

Limit the IAM entities allowed to execute the IAM actions required to perform attacks
Very High 1 - -
Limit the access to the IAM actions required to perform attacks using Azure IAM, following the IAM Operating Model and using the Azure IAM ThreatModel.

Protect primary data against loss

Maintain a list of authorized storage and corresponding account locks (e.g., to prevent deletions).
Lock storage account to prevent accidental or malicious deletion or configuration changes and ensure only authorized Storage Accounts have the lock disabled. Very High 3 - 1
Monitor for unauthorized storage account deletions (e.g., using activity log Microsoft.Storage/storageAccounts/delete operation in operationName.value).
Maintain a list of authorized storage account deletions. The process for creating this list should ensure the storage account is not in use.

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 13 / 135
Exfiltrate data using different service

Threat Id Storage.T23

Name Exfiltrate data using different service

An attacker can exfiltrate data using different services (e.g., Azure Data Share,
Description Logic App, files, SFTP access, NFS). Moreover, this data can be stored in
different subscriptions/tenants.

Goal Data theft

MITRE ATT&CK® TA0010

CVSS Medium (4.9)

{
IAM Access "AND": ["Microsoft.Storage/storageAccounts/write", "Microsoft.Authorization/role assignments/write"]
}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 14 / 135
Distribute non-common malicious files via storage account bypassing Defender for storage

Threat Id Storage.T35

Distribute non-common malicious files via storage account bypassing Defender

Name
for storage

Microsoft Defender for storage uses hash reputation analysis to determine

whether an uploaded file is suspicious. The threat protection tools don’t scan
the uploaded files; instead, they analyze the telemetry generated from the
Description blobs storage and files services. Defender for storage then compares newly
uploaded files' hashes with known viruses, trojans, spyware, and ransomware.
An attacker can modify a well-known payload with one byte, and it will be
undetected with Defender for storage.

Goal Launch another attack

MITRE ATT&CK® TA0003

CVSS Medium (4.9)

{
"OR": ["Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write", "directory:R;file:R",
IAM Access "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"]
}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

Monitor Storage Accounts with Azure Defender for Storage and Mirosoft Purview
Medium 1 - -
Periodically scan files with third-party virus scanners that don't only rely on hashes

Use StorageV2 accounts only

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 15 / 135
DoS by tampering with encryption at rest key

Threat Id Storage.T38

Name DoS by tampering with encryption at rest key

Azure Key Vault in the same or another tenant is used to store the encryption
Description keys. An attacker can make it unavailable (e.g., by changing access policies),
take over, perform DoS, or launch an attack on the storage account.

Goal Disruption of Service

MITRE ATT&CK® TA0040

CVSS Medium (4.5)

{
"OR": ["Microsoft.KeyVault/vaults/keys/write", "Microsoft.KeyVault/vaults/keys/delete", "Microsoft.KeyVault/vaults/delete",
IAM Access "Microsoft.KeyVault/vaults/write", "Microsoft.Storage/storageAccounts/encryptionScopes/write"]
}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

Enforce encryption-at-rest
Low 1 - -
Protect Key Vault store custom encryption keys using Key Vault ThreatModel.

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 16 / 135
Infiltrate unauthorized files into storage container

Threat Id Storage.T57

Name Infiltrate unauthorized files into storage container

Some Azure Stroage APIs allow for copying a blob or file from a 3rd party
storage account to a container where the attacker has write access. The copy
operation is not done from the host the attacker is issuing the command from,
Description
but from the Azure Storage service itself. An attacker can leverage this
capability to infiltrate data into an environment where they otherwise do not
have external access.

Goal Launch another attack

MITRE ATT&CK® TA0011

CVSS Medium (4.3)

{
"OR": ["Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write",
IAM Access "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"]
}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

Identify and ensure the protection all Storage Accounts hosting your data
Preview control . Ensure Storage Accounts have allowedCopyScope set to either AAD or PrivateLink
Preview control . Prevent the creation of Storage Accounts with allowedCopyScope not set to either AAD or PrivateLink (e.g. by using an Azure Policy in deny/append mode) Very High 1 1 1
Preview control . Monitor that Storage Accounts with allowedCopyScope set to null / not specified are not created (e.g. using activity logs on "Create/Update Storage Account" operation
in ."properties"."requestbody")

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 17 / 135
Unauthorized data exposed by breaking CORS settings

Threat Id Storage.T26

Name Unauthorized data exposed by breaking CORS settings

CORS is an HTTP feature that enables a web application running under one
domain to access resources in another domain. An attacker using the CORS
Description
misconfiguration can gain privileged access via origin reflection, enticing a user
to access a page with a malicious script and return sensitive data.

Goal Launch another attack

MITRE ATT&CK® TA0004

CVSS Medium (4.3)

{
IAM Access "UNIQUE": "Microsoft.Storage/storageAccounts/write"
}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

Govern Cross-Origin resource sharing

Maintain a list of authorized CORS per endpoint trusted origins and corresponding settings.
Very Low 2 1 -
Ensure only authorized Storage Accounts have CORS trusted origins and corresponding settings configured.
Prevent unauthorized Storage Accounts from using CORS trusted origins and corresponding settings (e.g., using Azure Policy in deny mode).

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 18 / 135
Unauthorized access to data by direct access to the physical disk

Threat Id Storage.T14

Name Unauthorized access to data by direct access to the physical disk

Azure operates the storage of physical disks. An attacker (i.e., an Azure insider)
Description
can access data stored on the device.

Goal Data theft

MITRE ATT&CK® TA0010

CVSS Medium (4.2)

IAM Access {}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

Enforce encryption-at-rest
Maintain a list of authorized keys for Azure Storage encryption with desired assignment and rotation policy.
Ensure authorized keys for Azure Storage encryption with desired assignment and rotation policy are set for authorized Storage Accounts.
High 2 1 1
Ensure only authorized keys for Azure Storage encryption with desired assignment and rotation policy are assigned (e.g., using Azure Policy in deny mode).
Monitor the creation/update and usage of keys for Azure Storage encryption with desired assignment and rotation policy assignment (e.g., using monitoring) logs on authentication type in
AccountKey).

Apply cloud adoption, strategy, and governance

Maintain a list of authorized Azure Storage regions.
High 2 1 -
Ensure the authorized Azure Storage region is set for authorized Storage Accounts.
Ensure only authorized Azure Storage region is set for authorized Storage Accounts (e.g., using Azure Policy in deny mode).

Protect primary data against loss

Maintain a list of authorized Azure Storage redundancy options.
Low 2 1 -
Ensure authorized Azure Storage redundancy is set for authorized Storage Accounts.
Ensure only authorized Azure Storage redundancy is set for authorized Storage Accounts (e.g., using Azure Policy in deny mode).

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 19 / 135
Access to storage account resources by modifying virtual network rules

Threat Id Storage.T50

Name Access to storage account resources by modifying virtual network rules

Administrators configure network rules to allow only requests originating from

Description
authorized subnets. An attacker can insert/modify the rules to gain access.

Goal Launch another attack

MITRE ATT&CK® TA0010

CVSS Low (3.5)

{
IAM Access "UNIQUE": ["Microsoft.Storage/storageAccounts/write"]
}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

Restrict access to the endpoints (where possible disable public endpoint)

Enable soft-delete on containers, blobs, and file shares

Maintain a list of authorized blobs and containers with public access level set to anonymous; ideally, none
Ensure the anonymous access level is set only for authorized blobs/containers. High 2 1 1
Ensure only authorized blob and containers are anonymously accessed (e.g., using Azure Policy in deny mode).
Monitor the creation/update of blobs and containers that are anonymously accessed (e.g., using Azure Automations).

Connect via private endpoint

Ensure no storage account allows public access to blobs Low 2 1 -

Maintain a list of authorized Storage Accounts with allowblobPublicAccess enabled; ideally, none
Ensure no Storage Accounts have allowblobPublicAccess enabled, except if authorized.

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 20 / 135
Prevent the creation/update of Storage Accounts with allowblobPublicAccess enabled (e.g., using Azure Policy on deny mode - "Storage account public access should be disallowed").

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 21 / 135
Cross service exploit

Threat Id Storage.T51

Name Cross service exploit

An attacker can manipulate storage services to trigger a compute service like

Description
Azure functions, allowing an attacker to exploit further resources.

Goal Launch another attack

MITRE ATT&CK® TA0011

CVSS Low (2.0)

IAM Access {}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

Enable monitoring & notifications for Storage Accounts

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 22 / 135
Actions and IAM Permissions to deny the feature
Key access feature (subclass of Storage account, FC7) Action IAM Permission
When you create a storage account, Azure generates two 512-bit storage account access keys. These keys
Regenerates the access keys for the Microsoft.Storage/storageAccounts/regeneratekey/ac
can be used to authorise access to data in your storage account via Shared Key authorization. Microsoft
specified storage account. tion
recommends that you use Azure Key Vault to manage your access keys, and that you regularly rotate and
regenerate your keys.

Data Flow Diagram (DFD) Threat List

Name CVSS

Access data using storage account access key or SAS token / data leakage due to
High (8.1)
disclosed SAS token

Privilege escalation using storage account access key Medium (6.5)

DoS due to storage account access key regeneration Medium (4.9)

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 23 / 135
Access data using storage account access key or SAS token / data leakage due to disclosed SAS token

Threat Id Storage.T3

Access data using storage account access key or SAS token / data leakage due
Name
to disclosed SAS token

Storage account access keys have unrestricted access to the storage account
they are coming from; a SAS token can give access to a blob, directory, file,
table, or queue. A developer could store the keys, access tokens, or SAS URLs in
Description
an insecure location, such as a public code repository or client-side code. An
attacker can use a stolen storage account access key or SAS token/URL to
access or maliciously modify data.

Goal Data theft

MITRE ATT&CK® TA0010

CVSS High (8.1)

IAM Access {}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

Enable monitoring & notifications for Storage Accounts

Define a diagnostic settings design for Storage Accounts, including destination (tenant/subscription), categories (ideally all), and rotation. Resource logs are not collected by default. You must
create a diagnostic setting for each Azure resource to send its resource logs to a Log Analytics workspace to use with Azure Monitor Logs, Azure Event Hubs to forward outside of Azure, or to Azure
Very High 2 1 -
Storage for archiving.
Ensure diagnostic settings are configured properly to the architecture design.
Ensure Storage Accounts have diagnostic settings configured according to the design.

Restrict the use of Shared Key authorization

Very High - 1 -
Block the usage of the storage account access key whenever possible.

Restrict access to the endpoints (where possible disable public endpoint)

Govern the use of Shared Keys and SAS tokens High 4 - -

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 24 / 135
Maintain a revocation plan for any SAS or storage account access keys issued to clients based on requirements. If a SAS is compromised, you must revoke that SAS as soon as possible. To revoke
a user delegation SAS, revoke the user delegation key to invalidate all signatures associated with that key. To revoke a service SAS that is associated with a stored access policy, you can delete the
stored access policy, rename the policy, or change its expiry time to a time that is in the past (ref). To revoke a storage account access key, regenerate the key.
Ensure the revocation plan is in place for any SAS or storage account access key.

Connect via private endpoint

Limit the IAM entities allowed to execute the IAM actions required to perform attacks
Very Low 1 - -
Use Managed Identity as the method for accessing Azure Storage services.

Monitor Storage Accounts with Azure Defender for Storage and Mirosoft Purview
Ensure Storage Accounts have Azure Defender for Storage account enabled" with "Ensure Storage Accounts have Azure Defender for storage account enabled
Prevent the creation of Storage Accounts without Azure Defender for storage account option (e.g., by using an Azure Policy "Microsoft.storage/storageaccounts/deleteRetentionPolicy" in deny
Very Low 2 2 -
mode).
Ensure Storage Accounts have Azure Defender enabled
Prevent the creation of Storage Accounts without Azure Defender (e.g., by using an Azure Policy in deny mode).

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 25 / 135
Privilege escalation using storage account access key

Threat Id Storage.T1

Name Privilege escalation using storage account access key

Storage Accounts can have up to 2 storage access keys with unrestricted

permissions on this storage account. An attacker can generate a new storage
Description
access key or use an existing key to gain unrestricted access (e.g., az storage
blob delete --account-key xxx --account-name xxx -c xxx --name xxx).

Goal Data theft

MITRE ATT&CK® TA0010

CVSS Medium (6.5)

{
"OR": ["Microsoft.Storage/storageAccounts/listkeys/action", "Microsoft.Storage/storageAccounts/regeneratekey/action",
IAM Access "Microsoft.Storage/storageAccounts/rotateKey/action"]
}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

Limit the IAM entities allowed to execute the IAM actions required to perform attacks
Limit the access to the IAM actions required to perform attacks using Azure IAM, following the IAM Operating Model and using the Azure IAM ThreatModel. Very High 2 - -
Use Managed Identity as the method for accessing Azure Storage services.

Restrict the use of Shared Key authorization

Very High - 1 -
Block the usage of the storage account access key whenever possible.

Restrict access to the endpoints (where possible disable public endpoint)

Connect via private endpoint

Govern the use of Shared Keys and SAS tokens Low 2 - -

Integrate the access to blob, file shares, queues, tables, and DFS via SAS token (generated from account key and/or user delegation key) in the IAM Operating Model, ideally prioritizing AD as the

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 26 / 135
preferred method.
Maintain a revocation plan for any SAS or storage account access keys issued to clients based on requirements. If a SAS is compromised, you must revoke that SAS as soon as possible. To revoke
a user delegation SAS, revoke the user delegation key to invalidate all signatures associated with that key. To revoke a service SAS that is associated with a stored access policy, you can delete the
stored access policy, rename the policy, or change its expiry time to a time that is in the past (ref). To revoke a storage account access key, regenerate the key.
Ensure the revocation plan is in place for any SAS or storage account access key.

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 27 / 135
DoS due to storage account access key regeneration

Threat Id Storage.T2

Name DoS due to storage account access key regeneration

SAS tokens can be signed from a storage account access key. Enabling non-
Azure applications to access data in a storage account. An attacker can rotate
Description
or regenerate a storage account access key to invalidate its SAS tokens to block
data access to any applications using SAS tokens derived from this access key.

Goal Disruption of Service

MITRE ATT&CK® TA0040

CVSS Medium (4.9)

{
IAM Access "OR": ["Microsoft.Storage/storageAccounts/regeneratekey/action", "Microsoft.Storage/storageAccounts/rotateKey/action"]
}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

Limit the IAM entities allowed to execute the IAM actions required to perform attacks
Limit the access to the IAM actions required to perform attacks using Azure IAM, following the IAM Operating Model and using the Azure IAM ThreatModel. Very High 2 - -
Use Managed Identity as the method for accessing Azure Storage services.

Restrict the use of Shared Key authorization

Block the usage of the storage account access key whenever possible.
Very High 1 1 1
Monitor for unauthorized storage account access key rotations (e.g., using activity log Microsoft.Storage/storageAccounts/regenerateKey/action operation in operationName.value).
Maintain a list of authorized storage account access key rotations.

Govern the use of Shared Keys and SAS tokens

Integrate the access to blob, file shares, queues, tables, and DFS via SAS token (generated from account key and/or user delegation key) in the IAM Operating Model, ideally prioritizing AD as the
preferred method.
Maintain a revocation plan for any SAS or storage account access keys issued to clients based on requirements. If a SAS is compromised, you must revoke that SAS as soon as possible. To revoke Low 2 - -
a user delegation SAS, revoke the user delegation key to invalidate all signatures associated with that key. To revoke a service SAS that is associated with a stored access policy, you can delete the
stored access policy, rename the policy, or change its expiry time to a time that is in the past (ref). To revoke a storage account access key, regenerate the key.
Ensure the revocation plan is in place for any SAS or storage account access key.

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 28 / 135
Actions and IAM Permissions to deny the feature
File shares (subclass of Storage account, FC3) Action IAM Permission
Azure Files offers fully governed file shares in the cloud that are accessible via the industry standard Server
Microsoft.Storage/storageAccounts/fileServices/sha
Message Block (SMB) protocol or Network File System (NFS) v4.1 protocol. Create or update file share
res/write
Data Flow Diagram (DFD)

Threat List
Name CVSS

Exfiltrate data using different access method High (7.3)

Usage of outdated vulnerable protocols to access file shares High (7.1)

Privilege escalation by modifying file share ACL Medium (6.2)

Distribute malicious files via file share Medium (4.9)

Recursively delete directories and the content in the file share Medium (4.5)

Encrypt files by ransomware in file shares Medium (4.5)

Denial of wallet through file upload to storage account Low (3.5)

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 29 / 135
Exfiltrate data using different access method

Threat Id Storage.T15

Name Exfiltrate data using different access method

Data stored on file share using SMB or NFS v4.1 protocols can be accessible
Description using REST APIs with the HTTP/S protocol. An attacker can access data using a
different access method to gain access to the data.

Goal Data theft

MITRE ATT&CK® TA0010

CVSS High (7.3)

{
IAM Access "UNIQUE": "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read"
}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

Limit the IAM entities allowed to execute the IAM actions required to perform attacks
Maintain a list of authorized Groups to use in permissions for Data Lake Storage Gen2.
Ensure only authorized Groups are used in ACLs for Data Lake Storage Gen2.
Use name convention for Groups adding Suffix R/RW and Entity to be used.
Very High 6 - -
Maintain an architecture of Data Lake Storage Gen2 ACL vs. IAM based on requirements. Microsoft recommends using Azure Active Directory (Azure AD) to authorize requests against blob and
queue data, if possible, instead of Shared Key. Azure AD provides superior security and ease of use over Shared Key.
Integrate the access to directories and objects via ACL in the IAM Operating Model, not mixing IAM and ACL access method and TAG based.
Integrate the access to directories and objects using Azure attribute-based access control (Azure ABAC) in the IAM Operating Model.

Restrict access to the endpoints (where possible disable public endpoint)

Connect via private endpoint

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 30 / 135
Identify and ensure the protection all Storage Accounts hosting your data
Medium 1 - -
Define an ACL or IAM authentication for every storage account. Ideally, use Azure AD only and multiple Storage Accounts if fine-grained access is required.

Restrict the use of Azure Blob Storage SFTP

Medium 1 - -
Do not mix the different services like Azure Files, SFTP, and NFS inside the same Azure Storage account.

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 31 / 135
Usage of outdated vulnerable protocols to access file shares

Threat Id Storage.T21

Name Usage of outdated vulnerable protocols to access file shares

Encryption in transit is often disabled to support a legacy application on an

Description outdated operating system. An attacker can hack old protocols and libraries to
gain more permissions (attacks via SMB client).

Goal Launch another attack

MITRE ATT&CK® TA0004

CVSS High (7.1)

IAM Access {}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

Enforce encryption-in-transit
Maintain a list of authorized encryption in transit methods with the desired assignment to Storage Accounts. Ideally, minimum TLS 1.2.
Ensure authorized encryption in transit methods with desired assignment is set for authorized Storage Accounts and clients performing checks against the certificate exposed by Storage
Accounts.
Ensure Storage Accounts have authorized encryption in transit methods configured (e.g., using Azure Policy in deny mode).
Monitor the creation/update usage encryption in transit methods with desired assignment is set for authorized Storage Accounts (e.g., using activity logs on properties.supportsHttpsTrafficOnly
scope "supportsHttpsTrafficOnly").
Maintain a list of authorized NFS/SMB 2.1 Azure Files.
Very High 7 3 2
Ensure only authorized Azure Files NFS/SMB 2.1 have encryption disabled.
Prevent unauthorized Azure Files NFS/SMB 2.1 from having encryption disabled (e.g., using Azure Policy in deny mode).
Monitor the creation/update of Azure Files NFS/SMB 2.1 and corresponding settings (e.g., using activity logs on properties.supportsHttpsTrafficOnly scope "supportsHttpsTrafficOnly").
Maintain a list of authorized Azure Files security protocol settings (ideally maximum security SMB 3.1.1, Kerberos, AES-256 only).
Ensure authorized Azure Files options with security protocol settings are set for authorized Storage Accounts.
Ensure only authorized Azure Files options with security protocol settings are set for authorized Storage Accounts (e.g., using Azure Policy in deny mode utilizing
"protocolSettings"/"smb"{"versions","authenticationMethods","kerberosTicketEncryption","channelEncryption":} fields).
Refrain from mixing or downgrading security options for the Azure Files shared inside the same Azure Storage account.

Use StorageV2 accounts only

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 32 / 135
Enforce good coding practice
The latest (or latest -1 with no security vulnerabilities) non-preview version of storage software libraries must be used for Storage Accounts. Running on older versions could mean you are not Very Low 1 - -
using the latest security classes. Usage of such old classes and types can make your application vulnerable.

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 33 / 135
Privilege escalation by modifying file share ACL

Threat Id Storage.T17

Name Privilege escalation by modifying file share ACL

File share ACLs limit access to entities via a file share endpoint. An attacker can
Description
modify those ACLs to escalate their privileges.

Goal Launch another attack

MITRE ATT&CK® TA0004

CVSS Medium (6.2)

{
"OR": ["Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write",
IAM Access "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action"]
}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

Restrict the use of Shared Key authorization

Low - 1 -
Block the usage of the storage account access key whenever possible.

Govern the use of Shared Keys and SAS tokens

Protect primary data against loss

Very Low 1 - -
Backup primary data in a location which have different security authority (ref 1, ref 2)

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 34 / 135
Distribute malicious files via file share

Threat Id Storage.T20

Name Distribute malicious files via file share

An attacker can distribute malicious files via Windows shares. An attacker can
Description
infect underlying services (especially VMs) in that way.

Goal Launch another attack

MITRE ATT&CK® TA0003

CVSS Medium (4.9)

{
IAM Access "UNIQUE": "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write"
}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

Monitor Storage Accounts with Azure Defender for Storage and Mirosoft Purview
Ensure Storage Accounts have Azure Defender for Storage account enabled" with "Ensure Storage Accounts have Azure Defender for storage account enabled
Prevent the creation of Storage Accounts without Azure Defender for storage account option (e.g., by using an Azure Policy "Microsoft.storage/storageaccounts/deleteRetentionPolicy" in deny
mode). Medium 3 2 -
Periodically scan files with third-party virus scanners that don't only rely on hashes
Ensure Storage Accounts have Azure Defender enabled
Prevent the creation of Storage Accounts without Azure Defender (e.g., by using an Azure Policy in deny mode).

Enable soft-delete on containers, blobs, and file shares

For each file share, define the minimum retention of container and blob from the deletion (e.g., 7 days)
Medium 2 1 -
Ensure file shares have soft-delete enabled for at least the defined minimum retention
Prevent the creation of file shares without soft-delete (e.g., by using an Azure Policy in deny mode).

Use StorageV2 accounts only

Protect primary data against loss

Low 1 - -
Backup primary data in a location which have different security authority (ref 1, ref 2)

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 35 / 135
Recursively delete directories and the content in the file share

Threat Id Storage.T18

Name Recursively delete directories and the content in the file share

File share, similar to the DFS, has hierarchical architecture. An attacker can
Description
potentially delete multiple directories and files recursively.

Goal Disruption of Service

MITRE ATT&CK® TA0040

CVSS Medium (4.5)

{
IAM Access "UNIQUE": "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete"
}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

Enable soft-delete on containers, blobs, and file shares

Govern the use of Shared Keys and SAS tokens

Protect primary data against loss

Low 1 - -
Backup primary data in a location which have different security authority (ref 1, ref 2)

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 36 / 135
Encrypt files by ransomware in file shares

Threat Id Storage.T19

Name Encrypt files by ransomware in file shares

An attacker can encrypt files, making them unusable in a file share, using an
Description encryption key not controlled by the file owner to request a ransom to access
the decryption key.

Goal Direct Financial Gain

MITRE ATT&CK® TA0040

CVSS Medium (4.5)

{
"AND": ["Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read",
IAM Access "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write", "directory:W;file:W"]
}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

Enable soft-delete on containers, blobs, and file shares

Govern the use of Shared Keys and SAS tokens

Protect primary data against loss

Low 1 - -
Backup primary data in a location which have different security authority (ref 1, ref 2)

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 37 / 135
Denial of wallet through file upload to storage account

Threat Id Storage.T16

Name Denial of wallet through file upload to storage account

An attacker can upload terabytes to the storage account and cause billing
Description
implications - especially with the soft deleted option.

Goal Financial Drain

MITRE ATT&CK® TA0040

CVSS Low (3.5)

{
"OR": ["Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write",
IAM Access "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"]
}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

Enable monitoring & notifications for Storage Accounts

High - - 1
Monitor file shares quotas and trends using Azure Monitor with alarm (, e.g., Azure file share size is 80% of capacity)

Restrict the use of Shared Key authorization

Very Low - 1 -
Block the usage of the storage account access key whenever possible.

Govern the use of Shared Keys and SAS tokens

Integrate the access to blob, file shares, queues, tables, and DFS via SAS token (generated from account key and/or user delegation key) in the IAM Operating Model, ideally prioritizing AD as the
preferred method.
Maintain a revocation plan for any SAS or storage account access keys issued to clients based on requirements. If a SAS is compromised, you must revoke that SAS as soon as possible. To revoke Very Low 2 - -
a user delegation SAS, revoke the user delegation key to invalidate all signatures associated with that key. To revoke a service SAS that is associated with a stored access policy, you can delete the
stored access policy, rename the policy, or change its expiry time to a time that is in the past (ref). To revoke a storage account access key, regenerate the key.
Ensure the revocation plan is in place for any SAS or storage account access key.

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 38 / 135
Actions and IAM Permissions to deny the feature
Monitoring (subclass of Storage account, FC8) Action IAM Permission
Storage insights provide comprehensive monitoring of your Azure Storage accounts by delivering a unified
Creates or updates the diagnostic setting Microsoft.Storage/storageAccounts/providers/Micros
view of your Azure Storage services performance, capacity, and availability.
for the resource. oft.Insights/diagnosticsettings/write
Data Flow Diagram (DFD) Creates or updates the diagnostic setting Microsoft.Storage/storageAccounts/blobServices/pro
for the resource. viders/Microsoft.Insights/diagnosticsettings/write

Microsoft.Storage/storageAccounts/tableServices/pr
Creates or updates the diagnostic setting
oviders/Microsoft.Insights/diagnosticsettings/writ
for the resource.
e

Creates or updates the diagnostic setting Microsoft.Storage/storageAccounts/fileServices/pro

for the resource. viders/Microsoft.Insights/diagnosticsettings/write

Microsoft.Storage/storageAccounts/queueServices/pr
Creates or updates the diagnostic setting
oviders/Microsoft.Insights/diagnosticsettings/writ
for the resource.
e

Threat List
Name CVSS

Disable diagnostic settings High (7.1)

Exfiltrate data using diagnostic settings Medium (4.2)

Recon of storage environment via examination of diagnostic logs Medium (4.2)

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 39 / 135
Disable diagnostic settings

Threat Id Storage.T41

Name Disable diagnostic settings

Description An attacker can disable diagnostic settings to hide their future actions.

Goal Launch another attack

MITRE ATT&CK® TA0003

CVSS High (7.1)

{
"OR": ["Microsoft.Storage/storageAccounts/services/diagnosticsettings/write",
"Microsoft.Storage/storageAccounts/providers/Microsoft.Insights/diagnosticsettings/write",
"Microsoft.Storage/storageAccounts/blobServices/providers/Microsoft.Insights/diagnosticsettings/write",
IAM Access "Microsoft.Storage/storageAccounts/tableServices/providers/Microsoft.Insights/diagnosticsettings/write",
"Microsoft.Storage/storageAccounts/fileServices/providers/Microsoft.Insights/diagnosticsettings/write",
"Microsoft.Storage/storageAccounts/queueServices/providers/Microsoft.Insights/diagnosticsettings/write"]
}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

Enable monitoring & notifications for Storage Accounts

Define a diagnostic settings design for Storage Accounts, including destination (tenant/subscription), categories (ideally all), and rotation. Resource logs are not collected by default. You must
create a diagnostic setting for each Azure resource to send its resource logs to a Log Analytics workspace to use with Azure Monitor Logs, Azure Event Hubs to forward outside of Azure, or to Azure
Storage for archiving.
Very High 2 1 1
Ensure diagnostic settings are configured properly to the architecture design.
Ensure Storage Accounts have diagnostic settings configured according to the design.
Monitor the creation/update of Storage Accounts with diagnostic settings enabled according to the design (e.g., using activity logs on operation name - create or update resource diagnostic
setting)

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 40 / 135
Exfiltrate data using diagnostic settings

Threat Id Storage.T10

Name Exfiltrate data using diagnostic settings

Diagnostic settings can be set at the storage account and/or container level. An
Description attacker can modify diagnostic settings and send the Storage Accounts logs to
another tenant/subscription to exfiltrate data.

Goal Data theft

MITRE ATT&CK® TA0010

CVSS Medium (4.2)

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

Enable monitoring & notifications for Storage Accounts

Define a diagnostic settings design for Storage Accounts, including destination (tenant/subscription), categories (ideally all), and rotation. Resource logs are not collected by default. You must
create a diagnostic setting for each Azure resource to send its resource logs to a Log Analytics workspace to use with Azure Monitor Logs, Azure Event Hubs to forward outside of Azure, or to Azure
Storage for archiving.
Very High 2 1 1
Ensure diagnostic settings are configured properly to the architecture design.
Ensure Storage Accounts have diagnostic settings configured according to the design.
Monitor the creation/update of Storage Accounts with diagnostic settings enabled according to the design (e.g., using activity logs on operation name - create or update resource diagnostic
setting)

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 41 / 135
Recon of storage environment via examination of diagnostic logs

Threat Id Storage.T53

Name Recon of storage environment via examination of diagnostic logs

An attacker can leverage the data present in the diagnostic logs (e.g.,
Description authorized IP addresses, resource URIs) as a means of mapping out the
environment and dataflows to assist in further attacks.

Goal Data theft

MITRE ATT&CK® TA0010

CVSS Medium (4.2)

{
"OR": ["Microsoft.Storage/storageAccounts/services/diagnosticsettings/read",
"Microsoft.Storage/storageAccounts/providers/Microsoft.Insights/diagnosticsettings/read",
"Microsoft.Storage/storageAccounts/blobServices/providers/Microsoft.Insights/diagnosticsettings/read",
IAM Access "Microsoft.Storage/storageAccounts/tableServices/providers/Microsoft.Insights/diagnosticsettings/read",
"Microsoft.Storage/storageAccounts/fileServices/providers/Microsoft.Insights/diagnosticsettings/read",
"Microsoft.Storage/storageAccounts/queueServices/providers/Microsoft.Insights/diagnosticsettings/read"]
}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

Enable monitoring & notifications for Storage Accounts

Define a diagnostic settings design for Storage Accounts, including destination (tenant/subscription), categories (ideally all), and rotation. Resource logs are not collected by default. You must
create a diagnostic setting for each Azure resource to send its resource logs to a Log Analytics workspace to use with Azure Monitor Logs, Azure Event Hubs to forward outside of Azure, or to Azure
Storage for archiving.
Very High 2 1 1
Ensure diagnostic settings are configured properly to the architecture design.
Ensure Storage Accounts have diagnostic settings configured according to the design.
Monitor the creation/update of Storage Accounts with diagnostic settings enabled according to the design (e.g., using activity logs on operation name - create or update resource diagnostic
setting)

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 42 / 135
Actions and IAM Permissions to deny the feature
Queues (subclass of Storage account, FC4) Action IAM Permission
Azure Queue Storage is a service for storing large numbers of messages. Access messages via HTTP/S calls.
Microsoft.Storage/storageAccounts/queueServices/qu
Create a queue
Data Flow Diagram (DFD) eues/write

Threat List
Name CVSS

Privilege escalation by modifying queue ACL Medium (6.2)

Unauthorized access to a sensitive message Medium (6.1)

Impacting queues messages integrity or complete data loss of sensitive data Medium (5.2)

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 43 / 135
Privilege escalation by modifying queue ACL

Threat Id Storage.T27

Name Privilege escalation by modifying queue ACL

Queue ACLs limit access to entities via the queue share endpoint. An attacker
Description
can modify those ACLs to escalate their privileges.

Goal Launch another attack

MITRE ATT&CK® TA0004

CVSS Medium (6.2)

{
"OR": ["Microsoft.Storage/storageAccounts/queueServices/write",
IAM Access "Microsoft.Storage/storageAccounts/queueServices/queues/write"]
}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

Restrict the use of Shared Key authorization

Low - 1 -
Block the usage of the storage account access key whenever possible.

Govern the use of Shared Keys and SAS tokens

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 44 / 135
Unauthorized access to a sensitive message

Threat Id Storage.T32

Name Unauthorized access to a sensitive message

An attacker can access the sensitive message or modify the message that other
Description
services will consume.

Goal Data theft

MITRE ATT&CK® TA0010

CVSS Medium (6.1)

{
"OR": ["Microsoft.Storage/storageAccounts/queueServices/read",
"Microsoft.Storage/storageAccounts/queueServices/queues/write",
IAM Access "Microsoft.Storage/storageAccounts/queueServices/write",
"Microsoft.Storage/storageAccounts/queueServices/queues/read"]
}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

Restrict access to the endpoints (where possible disable public endpoint)

Govern the use of Shared Keys and SAS tokens

Maintain a list of authorized IPs to use SAS tokens and their authorized time window. High 2 - -
Ensure SAS tokens allow only authorized IPs, using the sourceIP field and enforcing HTTPS.

Connect via private endpoint

Integrate ACLs in the IAM Operating Model to allow non-AD access files and directories
Low 1 - -
Integrate the access to files and directories via ACL in the IAM Operating Model

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 45 / 135
Impacting queues messages integrity or complete data loss of sensitive data

Threat Id Storage.T31

Name Impacting queues messages integrity or complete data loss of sensitive data

Messages in queues can be purged and deleted; queues can be deleted with all
the messages, and queue parameter changes can result in losing all the
Description messages. An attacker can delete or alter the messages and queues using any
methods impacting downstream applications and processes and causing loss
of integrity and DoS.

Goal Data manipulation

MITRE ATT&CK® TA0040

CVSS Medium (5.2)

{
"OR": ["Microsoft.Storage/storageAccounts/queueServices/write",
IAM Access "Microsoft.Storage/storageAccounts/queueServices/queues/write",
"Microsoft.Storage/storageAccounts/queueServices/queues/delete"]
}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

Restrict access to the endpoints (where possible disable public endpoint)

Govern the use of Shared Keys and SAS tokens

Maintain a list of authorized IPs to use SAS tokens and their authorized time window. High 2 - -
Ensure SAS tokens allow only authorized IPs, using the sourceIP field and enforcing HTTPS.

Connect via private endpoint

Integrate ACLs in the IAM Operating Model to allow non-AD access files and directories
Low 1 - -
Integrate the access to files and directories via ACL in the IAM Operating Model

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 46 / 135
Actions and IAM Permissions to deny the feature
Tables (subclass of Storage account, FC5) Action IAM Permission
The most economic table style storage over the word to store petabytes of semi-structured data and keep
Microsoft.Storage/storageAccounts/tableServices/ta
costs down. Create tables
bles/write
Data Flow Diagram (DFD)

Threat List
Name CVSS

Privilege escalation by modifying table ACL Medium (6.2)

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 47 / 135
Privilege escalation by modifying table ACL

Threat Id Storage.T28

Name Privilege escalation by modifying table ACL

Table ACLs are used to limit access to entities via the table endpoint. An
Description
attacker can modify those ACLs to escalate their privileges.

Goal Launch another attack

MITRE ATT&CK® TA0004

CVSS Medium (6.2)

{
"OR": ["Microsoft.Storage/storageAccounts/tableServices/write",
IAM Access "Microsoft.Storage/storageAccounts/tableServices/tables/write"]
}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

Restrict the use of Shared Key authorization

Low - 1 -
Block the usage of the storage account access key whenever possible.

Govern the use of Shared Keys and SAS tokens

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 48 / 135
Actions and IAM Permissions to deny the feature
Blob storage, containers, Data Lake Storage Action IAM Permission

Gen2 (subclass of Storage account, FC2) Create a filesystem rooted at the specified
location. If the filesystem already exists, Microsoft.Storage/storageAccounts/blobServices/con
Object storage solution for storing amounts of unstructured data (blobs), that are accessible via HTTP/S the operation fails. This operation does tainers/write
and optionally via the Network File System (NFS) v3 and SFTP protocols. not support conditional HTTP requests.
Data Flow Diagram (DFD)
Threat List
Name CVSS

Gain access to blob by renaming file High (8.1)

Unauthorized data made public High (8.1)

Modify permissions by adding, modify or removing tags High (8.1)

Exfiltrate data by brute force enumeration of items from the storage account High (8.1)

Information disclosure due to unencrypted blob storage High (7.3)

Privilege escalation by misconfiguration of NFS endpoint or by modifying current

High (7.3)
network settings

Exfiltrate files via the static website feature High (7.1)

Data loss due to disabling the versioning Medium (6.2)

Data loss due to disabling soft deletion Medium (6.2)

Privilege escalation by modifying File System ACL Medium (6.2)

Encrypt/overwrite files by ransomware in DFS/blob Medium (6.1)

Infect downstream processes with malware Medium (5.4)

Unauthorized modification of data Medium (5.2)

Distribute standard malicious files via storage account bypassing Defender for
Medium (4.9)
storage

Recursively delete DFS directories and their content Medium (4.5)

Bypassing of soft delete by moving blob to archive tier Medium (4.5)

DoS on wallet by executing Azure Data Lake Storage query acceleration Low (3.5)

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 49 / 135
Gain access to blob by renaming file

Threat Id Storage.T55

Name Gain access to blob by renaming file

When using blob path as a @resource attribute for a condition. An attacker can
Description
gain access to a blob by renaming a file.

Goal Data theft

MITRE ATT&CK® TA0010

CVSS High (8.1)

{
IAM Access "UNIQUE": ["Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action"]
}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

Enable monitoring & notifications for Storage Accounts

Define a diagnostic settings design for Storage Accounts, including destination (tenant/subscription), categories (ideally all), and rotation. Resource logs are not collected by default. You must
create a diagnostic setting for each Azure resource to send its resource logs to a Log Analytics workspace to use with Azure Monitor Logs, Azure Event Hubs to forward outside of Azure, or to Azure
Storage for archiving.
Very High 2 1 1
Ensure diagnostic settings are configured properly to the architecture design.
Ensure Storage Accounts have diagnostic settings configured according to the design.
Monitor the creation/update of Storage Accounts with diagnostic settings enabled according to the design (e.g., using activity logs on operation name - create or update resource diagnostic
setting)

Restrict the use of Shared Key authorization

Very High - 1 -
Block the usage of the storage account access key whenever possible.

Restrict access to the endpoints (where possible disable public endpoint)

Connect via private endpoint High 2 1 -

Maintain a list of authorized VNETs for the blob, file shares, queues, tables, DFS, NFS, and SFTP access via a private endpoint.

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 50 / 135
Ensure only authorized VNETs are configured for the blob, file shares, queues, tables, DFS, NFS, and SFTP.
Prevent the use of unauthorized VNETs by the storage account (e.g., by using Azure Policy).

Limit the IAM entities allowed to execute the IAM actions required to perform attacks
Medium 1 - -
Use Managed Identity as the method for accessing Azure Storage services.

Govern the use of Shared Keys and SAS tokens

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 51 / 135
Unauthorized data made public

Threat Id Storage.T5

Name Unauthorized data made public

An attacker (or someone by negligence) can create/modify a container to make

Description
it public and steal/exfiltrate/expose data.

Goal Data theft

MITRE ATT&CK® TA0010

CVSS High (8.1)

{
"OR": ["Microsoft.Storage/storageAccounts/blobServices/write",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
IAM Access "Microsoft.Storage/storageAccounts/blobServices/containers/write",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action"]
}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

Limit the IAM entities allowed to execute the IAM actions required to perform attacks
Limit the access to the IAM actions required to perform attacks using Azure IAM, following the IAM Operating Model and using the Azure IAM ThreatModel.
Very High 1 1 -
Limit access to delete Storage Accounts, via Azure Policy and IAM. Do not ever delete a sensitive storage account (e.g., just delete all data) to ensure storage account FQDN cannot be used as a
source of an attack.

Enable monitoring & notifications for Storage Accounts

Protect primary data against loss

Maintain a list of objects with cross-tenant or Storage Accounts without private endpoint replication (any storage account) enabled.
Ensure cross-tenant replication/any Storage Accounts are allowed only for specific Storage Accounts. Very High 4 - -
Maintain a list of authorized storage and corresponding account locks (e.g., to prevent deletions).
Lock storage account to prevent accidental or malicious deletion or configuration changes and ensure only authorized Storage Accounts have the lock disabled.

Restrict access to the endpoints (where possible disable public endpoint) High 2 - -

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 52 / 135
Maintain a list of authorized IPs and/or resource instance rules authorized to access each storage account
Block requests from unauthorized IPs, including trusted services, logging, and metrics read access (ref).

Use StorageV2 accounts only

Enable soft-delete on containers, blobs, and file shares

Connect via private endpoint

Identify and ensure the protection all Storage Accounts hosting your data
Define an ACL or IAM authentication for every storage account. Ideally, use Azure AD only and multiple Storage Accounts if fine-grained access is required.
Medium 1 - 2
Use a data discovery tool (e.g., Microsoft Purview) to control that no sensitive data is stored in an unauthorized storage account
Use a data discovery tool (e.g., Microsoft Purview) to ensure the storage account names, object names, and tags do not contain sensitive data

Monitor Storage Accounts with Azure Defender for Storage and Mirosoft Purview
Ensure Storage Accounts have Azure Defender for Storage account enabled" with "Ensure Storage Accounts have Azure Defender for storage account enabled
Prevent the creation of Storage Accounts without Azure Defender for storage account option (e.g., by using an Azure Policy "Microsoft.storage/storageaccounts/deleteRetentionPolicy" in deny
Low 2 2 -
mode).
Ensure Storage Accounts have Azure Defender enabled
Prevent the creation of Storage Accounts without Azure Defender (e.g., by using an Azure Policy in deny mode).

Ensure no storage account allows public access to blobs

Maintain a list of authorized Storage Accounts with allowblobPublicAccess enabled; ideally, none
Low 2 1 -
Ensure no Storage Accounts have allowblobPublicAccess enabled, except if authorized.
Prevent the creation/update of Storage Accounts with allowblobPublicAccess enabled (e.g., using Azure Policy on deny mode - "Storage account public access should be disallowed").

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 53 / 135
Modify permissions by adding, modify or removing tags

Threat Id Storage.T33

Name Modify permissions by adding, modify or removing tags

Access to Azure Storage blobs can be configured based on tags and custom
security attributes using attribute-based access control (ABAC) conditions. An
Description
attacker can modify the conditions and/or tags to escalate privileges, access
data, or perform a DoS.

Goal Data theft

MITRE ATT&CK® TA0010

CVSS High (8.1)

{
"OR": ["microsoft.directory/attributeSets/allProperties/allTasks",
"microsoft.directory/customSecurityAttributeDefinitions/allProperties/allTasks",
"microsoft.directory/servicePrincipals/customSecurityAttributes/update",
IAM Access "microsoft.directory/users/customSecurityAttributes/update", "Microsoft.Storage/storageAccounts/write",
"Microsoft.Storage/storageAccounts/blobServices/write",
"Microsoft.Storage/storageAccounts/blobServices/containers/write",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"]
}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

Limit the IAM entities allowed to execute the IAM actions required to perform attacks
Limit the access to the IAM actions required to perform attacks using Azure IAM, following the IAM Operating Model and using the Azure IAM ThreatModel.
Maintain an architecture of Data Lake Storage Gen2 ACL vs. IAM based on requirements. Microsoft recommends using Azure Active Directory (Azure AD) to authorize requests against blob and
Very High 4 - -
queue data, if possible, instead of Shared Key. Azure AD provides superior security and ease of use over Shared Key.
Integrate the access to directories and objects via ACL in the IAM Operating Model, not mixing IAM and ACL access method and TAG based.
Integrate the access to directories and objects using Azure attribute-based access control (Azure ABAC) in the IAM Operating Model.

Identify and ensure the protection all Storage Accounts hosting your data
Medium 1 - -
Define an ACL or IAM authentication for every storage account. Ideally, use Azure AD only and multiple Storage Accounts if fine-grained access is required.

Integrate ACLs in the IAM Operating Model to allow non-AD access files and directories
Very Low 1 - -
Integrate the access to files and directories via ACL in the IAM Operating Model

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 54 / 135
Exfiltrate data by brute force enumeration of items from the storage account

Threat Id Storage.T37

Name Exfiltrate data by brute force enumeration of items from the storage account

Even with the "Public read access for blobs only" property set, blobs can be
Description accessed by adding the blob name to the URL to see the contents. An attacker
can enumerate blobs using brute force and access them.

Goal Data theft

MITRE ATT&CK® TA0010

CVSS High (8.1)

IAM Access {}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

Enable monitoring & notifications for Storage Accounts

Restrict access to the endpoints (where possible disable public endpoint)

Enable soft-delete on containers, blobs, and file shares

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 55 / 135
Connect via private endpoint
Maintain a list of authorized VNETs for the blob, file shares, queues, tables, DFS, NFS, and SFTP access via a private endpoint.
High 2 1 -
Ensure only authorized VNETs are configured for the blob, file shares, queues, tables, DFS, NFS, and SFTP.
Prevent the use of unauthorized VNETs by the storage account (e.g., by using Azure Policy).

Monitor Storage Accounts with Azure Defender for Storage and Mirosoft Purview
Ensure Storage Accounts have Azure Defender for Storage account enabled" with "Ensure Storage Accounts have Azure Defender for storage account enabled
Prevent the creation of Storage Accounts without Azure Defender for storage account option (e.g., by using an Azure Policy "Microsoft.storage/storageaccounts/deleteRetentionPolicy" in deny
Low 2 2 -
mode).
Ensure Storage Accounts have Azure Defender enabled
Prevent the creation of Storage Accounts without Azure Defender (e.g., by using an Azure Policy in deny mode).

Ensure no storage account allows public access to blobs

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 56 / 135
Information disclosure due to unencrypted blob storage

Threat Id Storage.T49

Name Information disclosure due to unencrypted blob storage

A blob created before October 20, 2017, may not be encrypted and has to be
Description rewritten to enforce encryption. An attacker can make use of this fact to get
access to sensitive data.

Goal Launch another attack

MITRE ATT&CK® TA0010

CVSS High (7.3)

IAM Access {}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

Enforce encryption-at-rest
Maintain a list of blobs created before October 20, 2017 (ideally none). High 2 - -
Rewrite every blob created before October 20, 2017. You can force encryption to occur immediately by downloading and re-uploading the blob

Apply cloud adoption, strategy, and governance

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 57 / 135
Privilege escalation by misconfiguration of NFS endpoint or by modifying current network settings

Threat Id Storage.T43

Privilege escalation by misconfiguration of NFS endpoint or by modifying

Name
current network settings

The only way to secure the NFS data in your account is by using a VNET and
other network security settings. Any other tool used to secure data, including
Description account key authorization, Azure Active Directory (AD) security, and Access
Control Lists (ACLs), are not supported. An attacker can break the network
rules and access the NFS files.

Goal Launch another attack

MITRE ATT&CK® TA0010

CVSS High (7.3)

IAM Access {}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

Enable monitoring & notifications for Storage Accounts

Restrict access to the endpoints (where possible disable public endpoint)

Connect via private endpoint

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 58 / 135
Protect primary data against loss
Medium 1 - -
Ensure corporate backup policies are implemented for the blob, file shares, queues, tables, and DFS, including regular testing.

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 59 / 135
Exfiltrate files via the static website feature

Threat Id Storage.T22

Name Exfiltrate files via the static website feature

A storage account can be configured as a static website server. An attacker can

distribute malicious and infected files via a website hosted on a storage
Description account or exfiltrate data via this method. Note that disallowing blob public
access for a storage account does not affect any static websites hosted in that
storage account. The $web container is always publicly accessible.

Goal Launch another attack

MITRE ATT&CK® TA0003

CVSS High (7.1)

{
IAM Access "UNIQUE": "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

Restrict access to the endpoints (where possible disable public endpoint)

High 1 - -
Maintain a list of authorized Storage Accounts that have the static website hosting option enabled; ideally, none

Ensure no storage account allows public access to blobs

Ensure only authorized Storage Accounts has the static website hosting option enabled. High 1 1 -
Prevent unauthorized Storage Accounts from having the static website hosting option enabled (e.g., using Azure Policy on deny mode).

Use StorageV2 accounts only

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 60 / 135
Data loss due to disabling the versioning

Threat Id Storage.T40

Name Data loss due to disabling the versioning

An attacker can first disable the versioning (especially by disabling soft

deletion) to compromise the service. Disabling blob versioning does not delete
Description existing blobs, versions, or snapshots. When you turn off blob versioning, any
existing versions remain accessible in your storage account. No new versions
are created.

Goal Launch another attack

MITRE ATT&CK® TA0004

CVSS Medium (6.2)

{
IAM Access "UNIQUE": ["Microsoft.Storage/storageAccounts/write"]
}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

Use StorageV2 accounts only

Protect primary data against loss

Enable versioning on blobs holding primary data Low 2 - -
Enable snapshots to Azure Files holding primary data

Enable hierarchical namespace in storage account, only when required

Maintain a list of authorized Storage Accounts with the hierarchical namespace (DFS) option enabled. Low 2 - -
Ensure only authorized Storage Accounts with the hierarchical namespace (DFS) option enabled are configured

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 61 / 135
Data loss due to disabling soft deletion

Threat Id Storage.T39

Name Data loss due to disabling soft deletion

An attacker can disable soft delete to compromise the service. If you disable
Description blob soft delete, you can continue to access and recover soft-deleted objects in
your storage account until the soft delete retention period has elapsed.

Goal Launch another attack

MITRE ATT&CK® TA0004

CVSS Medium (6.2)

{
IAM Access "UNIQUE": ["Microsoft.Storage/storageAccounts/write", "Microsoft.Storage/storageAccounts/blobServices/write"]
}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

Enable soft-delete on containers, blobs, and file shares

For each storage account (or type of data), define the minimum retention of container and blob from the deletion (e.g., 7 days)
Ensure Storage Accounts have soft-delete for the container enabled
Prevent the creation of Storage Accounts without soft-delete for the container option (e.g., by using an Azure Policy in deny mode).
Medium 4 3 -
Ensure Storage Accounts have soft-delete for the blob enabled
Prevent the creation of Storage Accounts without soft-delete for the blob option (e.g., by using an Azure Policy "Microsoft.storage/storageaccounts/deleteRetentionPolicy" in deny mode).
Ensure Storage Accounts have soft-delete for the container enabled
Prevent the creation of Storage Accounts without soft-delete for the container option (e.g.,by using an Azure Policy in deny mode).

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 62 / 135
Privilege escalation by modifying File System ACL

Threat Id Storage.T6

Name Privilege escalation by modifying File System ACL

Filesystem ACLs limit access to entities via the filesystem endpoint (DFS). An
Description
attacker can modify those ACLs to escalate their privileges.

Goal Launch another attack

MITRE ATT&CK® TA0004

CVSS Medium (6.2)

{
"OR": ["Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
IAM Access "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action"]
}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

Limit the IAM entities allowed to execute the IAM actions required to perform attacks
Limit the access to the IAM actions required to perform attacks using Azure IAM, following the IAM Operating Model and using the Azure IAM ThreatModel.
Maintain a list of authorized Groups to use in permissions for Data Lake Storage Gen2.
Maintain an architecture of Data Lake Storage Gen2 ACL vs. IAM based on requirements. Microsoft recommends using Azure Active Directory (Azure AD) to authorize requests against blob and Very High 5 - -
queue data, if possible, instead of Shared Key. Azure AD provides superior security and ease of use over Shared Key.
Integrate the access to directories and objects via ACL in the IAM Operating Model, not mixing IAM and ACL access method and TAG based.
Integrate the access to directories and objects using Azure attribute-based access control (Azure ABAC) in the IAM Operating Model.

Enable hierarchical namespace in storage account, only when required

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 63 / 135
Encrypt/overwrite files by ransomware in DFS/blob

Threat Id Storage.T9

Name Encrypt/overwrite files by ransomware in DFS/blob

An attacker can encrypt/overwrite files/objects in DFS or blobs using an

Description encryption key under their control and request a ransom to access the
decryption key.

Goal Direct Financial Gain

MITRE ATT&CK® TA0040

CVSS Medium (6.1)

{
IAM Access "OR": ["Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write", "directory:RWX;file:RWX"]
}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

Limit the IAM entities allowed to execute the IAM actions required to perform attacks
Limit the access to the IAM actions required to perform attacks using Azure IAM, following the IAM Operating Model and using the Azure IAM ThreatModel.
Maintain a list of authorized Groups to use in permissions for Data Lake Storage Gen2.
Ensure only authorized Groups are used in ACLs for Data Lake Storage Gen2.
Use name convention for Groups adding Suffix R/RW and Entity to be used. Very High 7 - -
Maintain an architecture of Data Lake Storage Gen2 ACL vs. IAM based on requirements. Microsoft recommends using Azure Active Directory (Azure AD) to authorize requests against blob and
queue data, if possible, instead of Shared Key. Azure AD provides superior security and ease of use over Shared Key.
Integrate the access to directories and objects via ACL in the IAM Operating Model, not mixing IAM and ACL access method and TAG based.
Integrate the access to directories and objects using Azure attribute-based access control (Azure ABAC) in the IAM Operating Model.

Enable monitoring & notifications for Storage Accounts

Maintain a list of directories and blobs that do not need modification after uploading to DFS/blob.
Define a diagnostic settings design for Storage Accounts, including destination (tenant/subscription), categories (ideally all), and rotation. Resource logs are not collected by default. You must
create a diagnostic setting for each Azure resource to send its resource logs to a Log Analytics workspace to use with Azure Monitor Logs, Azure Event Hubs to forward outside of Azure, or to Azure Very High 3 1 -
Storage for archiving.
Ensure diagnostic settings are configured properly to the architecture design.
Ensure Storage Accounts have diagnostic settings configured according to the design.

Identify and ensure the protection all Storage Accounts hosting your data Very High 1 - -

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 64 / 135
Use immutable blobs with proper policy.

Restrict access to the endpoints (where possible disable public endpoint)

Govern the use of Shared Keys and SAS tokens

Maintain a list of authorized IPs to use SAS tokens and their authorized time window. High 2 - -
Ensure SAS tokens allow only authorized IPs, using the sourceIP field and enforcing HTTPS.

Connect via private endpoint

Protect primary data against loss

Medium 1 - -
Ensure corporate backup policies are implemented for the blob, file shares, queues, tables, and DFS, including regular testing.

Enable soft-delete on containers, blobs, and file shares

For each storage account (or type of data), define the minimum retention of container and blob from the deletion (e.g., 7 days)
Ensure Storage Accounts have soft-delete for the blob enabled for at least the defined minimum retention
Prevent the creation of Storage Accounts without soft-delete for the blob option (e.g., by using an Azure Policy in deny mode).
Ensure Storage Accounts have soft-delete for the container enabled
Medium 5 4 -
Prevent the creation of Storage Accounts without soft-delete for the container option (e.g., by using an Azure Policy in deny mode).
Ensure Storage Accounts have soft-delete for the blob enabled
Prevent the creation of Storage Accounts without soft-delete for the blob option (e.g., by using an Azure Policy "Microsoft.storage/storageaccounts/deleteRetentionPolicy" in deny mode).
Ensure Storage Accounts have soft-delete for the container enabled
Prevent the creation of Storage Accounts without soft-delete for the container option (e.g.,by using an Azure Policy in deny mode).

Restrict the use of Shared Key authorization

Very Low - 1 -
Block the usage of the storage account access key whenever possible.

Integrate ACLs in the IAM Operating Model to allow non-AD access files and directories
Very Low 1 - -
Integrate the access to files and directories via ACL in the IAM Operating Model

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 65 / 135
Infect downstream processes with malware

Threat Id Storage.T12

Name Infect downstream processes with malware

An attacker can distribute malicious and infected files via an object used by
Description downstream services or a reputed company URL. An attacker can upload
malware instead of a valid file and infect internal services or external users.

Goal Launch another attack

MITRE ATT&CK® TA0003

CVSS Medium (5.4)

{
IAM Access "UNIQUE": "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

Limit the IAM entities allowed to execute the IAM actions required to perform attacks
Limit the access to the IAM actions required to perform attacks using Azure IAM, following the IAM Operating Model and using the Azure IAM ThreatModel. Very High 2 - -
Use Managed Identity as the method for accessing Azure Storage services.

Enable monitoring & notifications for Storage Accounts

Very High 1 - -
Maintain a list of directories and blobs that do not need modification after uploading to DFS/blob.

Restrict the use of Shared Key authorization

Very High - 1 -
Block the usage of the storage account access key whenever possible.

Restrict access to the endpoints (where possible disable public endpoint)

Scan input/output objects for malware

High - 1 -
If the storage account is used as an input or the output of a process, scan the objects for malware (e.g., using VirusScan)

Govern the use of Shared Keys and SAS tokens High 2 - -

Maintain a list of authorized IPs to use SAS tokens and their authorized time window.

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 66 / 135
Ensure SAS tokens allow only authorized IPs, using the sourceIP field and enforcing HTTPS.

Connect via private endpoint

Identify and ensure the protection all Storage Accounts hosting your data
Medium 1 - -
Use immutable blobs with proper policy.

Protect primary data against loss

Medium 1 - -
Ensure corporate backup policies are implemented for the blob, file shares, queues, tables, and DFS, including regular testing.

Enable soft-delete on containers, blobs, and file shares

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 67 / 135
Unauthorized modification of data

Threat Id Storage.T8

Name Unauthorized modification of data

An attacker can modify data that can cause independent inconsistency

Description subsystems. For example, a typical scenario for Data Lake Storage Gen2 is that
data should not be modified after being uploaded to blob storage.

Goal Data manipulation

MITRE ATT&CK® TA0040

CVSS Medium (5.2)

{
"OR": ["Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
IAM Access "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action"]
}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

Enable monitoring & notifications for Storage Accounts

Identify and ensure the protection all Storage Accounts hosting your data
Very High 1 - -
Use immutable blobs with proper policy.

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 68 / 135
Distribute standard malicious files via storage account bypassing Defender for storage

Threat Id Storage.T36

Distribute standard malicious files via storage account bypassing Defender for
Name
storage

Microsoft Defender for storage uses hash reputation analysis to determine

whether an uploaded file is suspicious. An attacker can use the put block and
Description put block list method where the telemetry doesn't contain a hash value. As a
result, some operations can't be monitored for known malware uploads and, in
that way, distribute the viruses.

Goal Launch another attack

MITRE ATT&CK® TA0003

CVSS Medium (4.9)

{
IAM Access "UNIQUE": ["Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"]
}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

Monitor Storage Accounts with Azure Defender for Storage and Mirosoft Purview
Medium 1 - -
Periodically scan files with third-party virus scanners that don't only rely on hashes

Use StorageV2 accounts only

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 69 / 135
Recursively delete DFS directories and their content

Threat Id Storage.T7

Name Recursively delete DFS directories and their content

DFS has a hierarchical architecture. An attacker can delete multiple directories

Description
and files recursively to make them unavailable.

Goal Disruption of Service

MITRE ATT&CK® TA0040

CVSS Medium (4.5)

{
"OR": ["Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
IAM Access "Microsoft.Storage/storageAccounts/blobServices/containers/delete"]
}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

Limit the IAM entities allowed to execute the IAM actions required to perform attacks
Limit the access to the IAM actions required to perform attacks using Azure IAM, following the IAM Operating Model and using the Azure IAM ThreatModel.
Maintain a list of authorized Groups to use in permissions for Data Lake Storage Gen2.
Ensure only authorized Groups are used in ACLs for Data Lake Storage Gen2.
Use name convention for Groups adding Suffix R/RW and Entity to be used. Very High 7 - -
Maintain an architecture of Data Lake Storage Gen2 ACL vs. IAM based on requirements. Microsoft recommends using Azure Active Directory (Azure AD) to authorize requests against blob and
queue data, if possible, instead of Shared Key. Azure AD provides superior security and ease of use over Shared Key.
Integrate the access to directories and objects via ACL in the IAM Operating Model, not mixing IAM and ACL access method and TAG based.
Integrate the access to directories and objects using Azure attribute-based access control (Azure ABAC) in the IAM Operating Model.

Enable monitoring & notifications for Storage Accounts

Integrate ACLs in the IAM Operating Model to allow non-AD access files and directories Very High 1 - -

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 70 / 135
Integrate the access to files and directories via ACL in the IAM Operating Model

Protect primary data against loss

Enable versioning on blobs holding primary data
Enable snapshots to Azure Files holding primary data Medium 4 - -
Backup primary data in a location which have different security authority (ref 1, ref 2)
Ensure corporate backup policies are implemented for the blob, file shares, queues, tables, and DFS, including regular testing.

Enable soft-delete on containers, blobs, and file shares

Enable hierarchical namespace in storage account, only when required

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 71 / 135
Bypassing of soft delete by moving blob to archive tier

Threat Id Storage.T54

Name Bypassing of soft delete by moving blob to archive tier

Blob soft delete doesn't afford to overwrite protection for blobs in the archive
tier. If a blob in the archive tier is deleted and overwritten with a new blob in
Description
any tier, then the overwritten blob is permanently deleted. An attacker can
move the data to the archive tier and overwrite the data.

Goal Disruption of Service

MITRE ATT&CK® TA0040

CVSS Medium (4.5)

{
"OR": ["Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
IAM Access "Microsoft.Storage/storageAccounts/blobServices/containers/write"]
}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 72 / 135
DoS on wallet by executing Azure Data Lake Storage query acceleration

Threat Id Storage.T34

Name DoS on wallet by executing Azure Data Lake Storage query acceleration

Query acceleration is used for data processing applications and can be

executed on a storage account. Due to the increased compute load within the
Description Azure Data Lake Storage service, the pricing model for using query acceleration
differs from the normal Azure Data Lake Storage transaction model. An
attacker can execute the queries and generate costs.

Goal Direct Financial Gain

MITRE ATT&CK® TA0040

CVSS Low (3.5)

{
IAM Access "UNIQUE": ["Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"]
}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

Limit the IAM entities allowed to execute the IAM actions required to perform attacks
Limit the access to the IAM actions required to perform attacks using Azure IAM, following the IAM Operating Model and using the Azure IAM ThreatModel.
Maintain a list of authorized Groups to use in permissions for Data Lake Storage Gen2.
Ensure only authorized Groups are used in ACLs for Data Lake Storage Gen2. Very High 5 - -
Use name convention for Groups adding Suffix R/RW and Entity to be used.
Maintain an architecture of Data Lake Storage Gen2 ACL vs. IAM based on requirements. Microsoft recommends using Azure Active Directory (Azure AD) to authorize requests against blob and
queue data, if possible, instead of Shared Key. Azure AD provides superior security and ease of use over Shared Key.

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 73 / 135
Actions and IAM Permissions to deny the feature
Object replication (subclass of Blob storage, containers, Data Lake Action IAM Permission
Storage Gen2, FC9) Microsoft.Storage/storageAccounts/objectReplicatio
Object replication asynchronously copies block blobs between a source storage account and a destination Create or update object replication policy
nPolicies/write
account. When you configure object replication, you create a replication policy that specifies the source
storage account and the destination account.
Threat List
Data Flow Diagram (DFD)
Name CVSS

Unauthorized access to data via storage account replication Medium (4.9)

Affect data by removing replication Medium (4.5)

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 74 / 135
Unauthorized access to data via storage account replication

Threat Id Storage.T13

Name Unauthorized access to data via storage account replication

Replication allows you to replicate objects and their metadata. Currently, it is

not available for DFS, but that may be an additional attack vector in the future.
An attacker can configure replication on a storage account to replicate objects
Description
(or its metadata or tagging) to exfiltrate data, e.g., using replication to a storage
account publicly available. Additionally, replication to an unauthorized region
may cause regulatory or compliance issues.

Goal Data theft

MITRE ATT&CK® TA0010

CVSS Medium (4.9)

{
IAM Access "UNIQUE": "Microsoft.Storage/storageAccounts/write"
}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

Enable monitoring & notifications for Storage Accounts

Apply cloud adoption, strategy, and governance

Protect primary data against loss

Maintain a list of objects with cross-tenant or Storage Accounts without private endpoint replication (any storage account) enabled. Medium 2 - -
Ensure cross-tenant replication/any Storage Accounts are allowed only for specific Storage Accounts.

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 75 / 135
Affect data by removing replication

Threat Id Storage.T42

Name Affect data by removing replication

Replication is a level of integrity protection and backup. An attacker can

Description
remove replication to affect data protection.

Goal Data manipulation

MITRE ATT&CK® TA0040

CVSS Medium (4.5)

{
IAM Access "UNIQUE": "Microsoft.Storage/storageAccounts/write"
}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

Enable monitoring & notifications for Storage Accounts

Protect primary data against loss

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 76 / 135
Actions and IAM Permissions to deny the feature
Blob inventory (subclass of Blob storage, containers, Data Lake Storage Action IAM Permission
Gen2, FC10) Microsoft.Storage/storageAccounts/inventoryPolicie
The Azure Storage blob inventory feature provides an overview of your containers, blobs, snapshots, and Policies write
s/write
blob versions within a storage account. Use the inventory report to understand various attributes of blobs
and containers such as your total data size, age, encryption status, immutability policy, or legal hold.
Threat List
Data Flow Diagram (DFD)
Name CVSS

Exfiltrate data using blob inventory functionality Medium (4.5)

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 77 / 135
Exfiltrate data using blob inventory functionality

Threat Id Storage.T24

Name Exfiltrate data using blob inventory functionality

An attacker can create/modify and access blob inventory, get knowledge about
Description
running services, and exfiltrate metadata.

Goal Data theft

MITRE ATT&CK® TA0010

CVSS Medium (4.5)

{
"OR": ["Microsoft.Storage/storageAccounts/inventoryPolicies/read",
IAM Access "Microsoft.Storage/storageAccounts/inventoryPolicies/write", "Microsoft.Storage/storageAccounts/inventoryPolicies/delete"]
}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 78 / 135
Actions and IAM Permissions to deny the feature
Blob lifecycle (subclass of Blob storage, containers, Data Lake Storage Action IAM Permission
Gen2, FC6) Put storage account management Microsoft.Storage/storageAccounts/managementPolici
Azure Blob Storage lifecycle management offers a rich, rule-based policy which you can use to transition policies es/write
your data to the best access tier and to expire data at the end of its lifecycle.

Data Flow Diagram (DFD)

Threat List
Name CVSS

Delete data using Blob Storage lifecycle management Medium (5.2)

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 79 / 135
Delete data using Blob Storage lifecycle management

Threat Id Storage.T25

Name Delete data using Blob Storage lifecycle management

An attacker can create/modify Blob Storage lifecycle management and delete

Description
data or impact data latency.

Goal Data manipulation

MITRE ATT&CK® TA0040

CVSS Medium (5.2)

{
IAM Access "UNIQUE": "Microsoft.Storage/storageAccounts/managementPolicies/write"
}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

Enable soft-delete on containers, blobs, and file shares

Ensure Storage Accounts have soft-delete for the blob enabled
Prevent the creation of Storage Accounts without soft-delete for the blob option (e.g., by using an Azure Policy "Microsoft.storage/storageaccounts/deleteRetentionPolicy" in deny mode). Medium 2 2 -
Ensure Storage Accounts have soft-delete for the container enabled
Prevent the creation of Storage Accounts without soft-delete for the container option (e.g.,by using an Azure Policy in deny mode).

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 80 / 135
Actions and IAM Permissions to deny the feature
Blob storage SSH File Transfer Protocol (SFTP) Action IAM Permission
(subclass of Blob storage, containers, Data Lake Storage Gen2, FC11) Create or update local user Microsoft.Storage/storageAccounts/localusers/write
Blob storage supports the SSH File Transfer Protocol (SFTP). This support lets you securely connect to blob
storage via an SFTP endpoint, allowing you to use SFTP for file access, file transfer, and file management.
Threat List
Data Flow Diagram (DFD)
Name CVSS

Access to data using stolen SFTP local user credentials High (8.1)

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 81 / 135
Access to data using stolen SFTP local user credentials

Threat Id Storage.T44

Name Access to data using stolen SFTP local user credentials

An attacker can exfiltrate/manipulate data using stolen SFTP local user

Description
credentials.

Goal Data theft

MITRE ATT&CK® TA0010

CVSS High (8.1)

{
IAM Access "UNIQUE": ["Microsoft.Storage/storageAccounts/localusers/write"]
}

# of associated Controls
Control Objectives Priority
Directive Preventative Detective

Restrict the use of Azure Blob Storage SFTP

Maintain a list of authorized Azure Storage SFTP options with authentication methods and permission models.
Low 2 1 -
Ensure authorized Azure Storage SFTP options with authentication methods and permission models are set for authorized Storage Accounts.
Ensure only authorized Azure Storage SFTP options with authentication methods and permission models are set for authorized Storage Accounts (e.g., using Azure Policy in deny mode).

Manage Azure Storage local users

Integrate the access to SSH in the IAM Operating Model, including monitoring of creating local SSH users. Very Low 2 - -
Use SSH private key credentials for authentication as the preferred authentication method.

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 82 / 135
Control Implementation
Limit the IAM entities allowed to execute the IAM actions required to perform attacks [Storage.CO1]

Feature Threat(s) CVSS-weighted

Type Control Testing Effort
Class(es) and Impact Priority
Storage.T1 (Medium)
Storage.T2 (Medium)
Storage.T4 (Medium)
Storage.T5 (Medium)
Storage.T6 (Medium)
Storage.T7 (Medium)
Storage.T8 (Medium)
Storage.T9 (Medium)
Storage.T12 (Medium)
Storage.T23 (High)
Storage.FC1 Storage.T24 (Medium)
Storage.FC10 Storage.T25 (Medium)
[Storage.C1] Storage.FC2 Storage.T31 (Low)
Limit the access to the IAM actions required to perform Request the list of authorized IAM principals with the
Directive (COSO) Storage.FC4 Storage.T32 (Low)
attacks using Azure IAM, following the IAM Operating permissions required to launch attacks, its review Medium Very High
Protect (NIST CSF) Storage.FC6 Storage.T33 (Medium)
Model and using the Azure IAM ThreatModel. process, and its review records.
Storage.FC7 Storage.T34 (Medium)
Storage.FC8 Storage.T37 (Medium)
Storage.FC9 Storage.T38 (Medium)
Storage.T39 (Medium)
Storage.T40 (Medium)
Storage.T41 (Medium)
Storage.T42 (Medium)
Storage.T43 (Very Low)
Storage.T47 (Medium)
Storage.T51 (Very Low)
Storage.T53 (Medium)
Storage.T54 (Medium)
Storage.T57 (Low)
[Storage.C25]
Limit access to delete Storage Accounts, via Azure
Preventative (COSO) Policy and IAM. Do not ever delete a sensitive storage Try to delete a storage account, it should be denied Medium Storage.FC2 Storage.T5 (Very High) Very High
Protect (NIST CSF) account (e.g., just delete all data) to ensure storage
account FQDN cannot be used as a source of an attack.
[Storage.C29]
Directive (COSO) Request the list of authorized Groups, its review Very Storage.FC1 Storage.T6 (Very Low) Very High
Identify (NIST CSF) Maintain a list of authorized Groups to use in process, and its review records. Low Storage.FC2 Storage.T7 (Very Low)
permissions for Data Lake Storage Gen2. Storage.FC3 Storage.T8 (Very Low)

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 83 / 135
Storage.T9 (Very Low)
Storage.T15 (Very Low)
Storage.T34 (Very Low)
Storage.T47 (Very Low)
Storage.T7 (High)
[Storage.C30, depends on Storage.C29] Storage.FC1 Storage.T9 (Very Low)
Directive (COSO) Ensure only authorized Groups are used in ACLs for Review ACLs against usage of individual users' service
Low Storage.FC2 Storage.T15 (Low) High
Protect (NIST CSF) Data Lake Storage Gen2. principal.
Storage.FC3 Storage.T34 (Very Low)
Storage.T47 (Very Low)
Storage.T7 (High)
[Storage.C31, depends on Storage.C29] Storage.FC1 Storage.T9 (Very Low)
Directive (COSO) Use name convention for Groups adding Suffix R/RW Review Group-Name convention. Medium Storage.FC2 Storage.T15 (Low) Medium
Protect (NIST CSF) and Entity to be used. Storage.FC3 Storage.T34 (Very Low)
Storage.T47 (Very Low)
[Storage.C34]
Maintain an architecture of Data Lake Storage Gen2 Storage.T6 (Very Low)
ACL vs. IAM based on requirements. Microsoft Storage.T7 (Very Low)
Directive (COSO) recommends using Azure Active Directory (Azure AD) to Storage.FC2 Storage.T9 (Very Low)
Check documentation. Medium Very High
Identify (NIST CSF) authorize requests against blob and queue data, if Storage.FC3 Storage.T15 (Very Low)
possible, instead of Shared Key. Azure AD provides Storage.T33 (Very Low)
superior security and ease of use over Shared Key. Storage.T34 (Very Low)

Storage.T6 (Very Low)

[Storage.C35, depends on Storage.C34]
Integrate the access to directories and objects via ACL Storage.T7 (High)
Directive (COSO) Request the IAM Operating Model for the directories Storage.FC2
in the IAM Operating Model, not mixing IAM and ACL Low Storage.T9 (High) Very High
Protect (NIST CSF) and objects. Storage.FC3
access method and TAG based. Storage.T15 (Very Low)
Storage.T33 (Low)
Storage.T6 (Very Low)
[Storage.C36, depends on Storage.C35]
Integrate the access to directories and objects using Storage.T7 (High)
Directive (COSO) Request the IAM Operating Model for the directories Storage.FC2
Azure attribute-based access control (Azure ABAC) in Low Storage.T9 (High) High
Protect (NIST CSF) and objects. Storage.FC3
the IAM Operating Model. Storage.T15 (Very Low)
Storage.T33 (Low)
Storage.T1 (Very Low)
Storage.T2 (Very Low)
[Storage.C47] Storage.FC1
Directive (COSO) Use Managed Identity as the method for accessing Check if underlying services are not using SAS or other Storage.T3 (Very Low)
Medium Storage.FC2 Medium
Protect (NIST CSF) Azure Storage services. password methods to authenticate. Storage.T12 (High)
Storage.FC7
Storage.T47 (Medium)
Storage.T55 (Medium)
Storage.FC1
[Storage.C87] Storage.FC2
Verify only the authorized authorization method set for Configure a blob, file share, queue, table, or DFS with
Assurance (COSO) Storage.FC3
authorized blob, file shares, queues, tables, and DFS an unauthorized authorization method, it should be High - Very High
Detect (NIST CSF) Storage.FC4
(e.g., using Azure Policy on audit mode). detected.
Storage.FC5
Storage.FC7

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 84 / 135
Identify and ensure the protection all Storage Accounts hosting your data [Storage.CO2]
Feature Threat(s) CVSS-weighted
Type Control Testing Effort
Class(es) and Impact Priority
Storage.T5 (Very Low)
[Storage.C2] Request the list of all Storage Accounts you control, Storage.T15 (Very Low)
Directive (COSO) Define an ACL or IAM authentication for every storage define their authorized data classification, and identify Storage.FC2 Storage.T33 (Very Low)
account. Ideally, use Azure AD only and multiple High Medium
Identify (NIST CSF) whether the data is primary and the mechanism and Storage.FC3 Storage.T34 (Very Low)
Storage Accounts if fine-grained access is required. records to ensure the accuracy of those metadata Storage.T37 (Very Low)
Storage.T54 (Very Low)
[Storage.C3, depends on Storage.C2]

Detective (COSO) Use a data discovery tool (e.g., Microsoft Purview) to Upload a higher classification data in a storage account,
control that no sensitive data is stored in an Medium Storage.FC2 Storage.T5 (Medium) Medium
Detect (NIST CSF) it should be detected.
unauthorized storage account
[Storage.C4]

Detective (COSO) Use a data discovery tool (e.g., Microsoft Purview) to Create 1) a storage account name, 2) object names, or Very
ensure the storage account names, object names, and Storage.FC2 Storage.T5 (Medium) Low
Detect (NIST CSF) 3) tags with sensitive data, it should be detected. High
tags do not contain sensitive data
Storage.T8 (Very High)
Directive (COSO) [Storage.C33, depends on Storage.C32] Ask for immutable policies. Check the usage of
Use immutable blobs with proper policy. Medium Storage.FC2 Storage.T9 (Very High) High
Protect (NIST CSF) immutable blobs.
Storage.T12 (Medium)
Request 1) the mechanism ensuring only authorized
[Storage.C144, assured by Storage.C147]
Directive (COSO) Preview control . Ensure Storage Accounts have Storage Accounts are configured, 2) its records of
High Storage.FC1 Storage.T57 (Medium) Low
Protect (NIST CSF) allowedCopyScope set to either AAD or PrivateLink execution for all new Storage Accounts, and 3) the plan
to update unauthorized Storage Accounts
[Storage.C145]
Preview control . Prevent the creation of Storage
Preventative (COSO) Accounts with allowedCopyScope not set to either AAD Create a storage account with allowedCopyScope not
Low Storage.FC1 Storage.T57 (Very High) High
Protect (NIST CSF) or PrivateLink (e.g. by using an Azure Policy in specified (defaults to null), it should be denied
deny/append mode)
[Storage.C146]
Preview control . Monitor that Storage Accounts with
Detective (COSO) allowedCopyScope set to null / not specified are not Create a storage account with allowedCopyScope set to
created (e.g. using activity logs on "Create/Update Low Storage.FC1 Storage.T57 (Medium) Medium
Detect (NIST CSF) null, it should be detected
Storage Account" operation
in ."properties"."requestbody")
[Storage.C147]

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 85 / 135
Integrate ACLs in the IAM Operating Model to allow non-AD access files and directories [Storage.CO3]

Feature Threat(s) CVSS-weighted

Type Control Testing Effort
Class(es) and Impact Priority
Storage.T7 (High)
[Storage.C5, depends on Storage.C1] Storage.T9 (Very Low)
Directive (COSO) Integrate the access to files and directories via ACL in the Request the IAM Operating Model for access to files and Storage.FC2
Low Storage.T31 (Low) High
Protect (NIST CSF) IAM Operating Model directories via ACL Storage.FC4
Storage.T32 (Low)
Storage.T33 (Very Low)

Ensure no storage account allows public access to blobs [Storage.CO4]

Feature Threat(s) CVSS-weighted
Type Control Testing Effort
Class(es) and Impact Priority
[Storage.C6] Request the list of authorized Storage Accounts with Storage.T5 (Very Low)
Directive (COSO) Maintain a list of authorized Storage Accounts with Storage.FC1
allowblobPublicAccess enabled, its review process, and Low Storage.T37 (Very Low) Medium
Identify (NIST CSF) allowblobPublicAccess enabled; ideally, none Storage.FC2
its review records. Storage.T50 (Very Low)
Request 1) the mechanism ensuring only authorized
[Storage.C7, depends on Storage.C6, assured by Storage.C9] Storage.T5 (Medium)
Directive (COSO) Ensure no Storage Accounts have allowblobPublicAccess Storage Accounts have allowblobPublicAccess enabled, 2) Storage.FC1
High Storage.T37 (Medium) Medium
Protect (NIST CSF) enabled, except if authorized. its records of execution for all new Storage Accounts, and Storage.FC2
Storage.T50 (Very Low)
3) plan to move any older Storage Accounts
[Storage.C8, depends on Storage.C6]
Prevent the creation/update of Storage Accounts with Storage.T5 (Medium)
Preventative (COSO) allowblobPublicAccess enabled (e.g., using Azure Policy Create a storage account with allowblobPublicAccess, it Storage.FC1
High Storage.T37 (Medium) Medium
Protect (NIST CSF) on deny mode - "Storage account public access should be should be denied. Storage.FC2
Storage.T50 (Very Low)
disallowed").
[Storage.C9]

Assurance (COSO) Verify no Storage Accounts have allowblobPublicAccess Create a storage account with allowblobPublicAccess, it Storage.FC1
enabled (e.g., using Azure Policy on audit mode - High - Medium
Detect (NIST CSF) should be detected. Storage.FC2
"Storage account public access should be disallowed").
[Storage.C55]
Verify Storage Accounts with cross-tenant replication
Assurance (COSO) enabled/any Storage Accounts (e.g., using Azure Policy Create a storage account with cross-tenant/any storage Storage.FC2
"Storage Accounts should prevent cross tenant object Low - Medium
Detect (NIST CSF) account option enabled, it should be detected. Storage.FC9
replication" / "allowedCopyScope" parameter in audit
mode.).
Request 1) the mechanism ensuring only authorized
[Storage.C97, depends on Storage.C96, assured by Storage.C99] Storage Accounts have the static website hosting option
Directive (COSO) Ensure only authorized Storage Accounts has the static enabled, 2) its records of execution for all new Storage High Storage.FC2 Storage.T22 (Medium) Medium
Protect (NIST CSF) website hosting option enabled. Accounts, and 3) plan to move any older Storage
Accounts
[Storage.C98, depends on Storage.C96]
Preventative (COSO) Create a storage account with a static website hosting Very Storage.FC2 Storage.T22 (Medium) High
Prevent unauthorized Storage Accounts from having the

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 86 / 135
static website hosting option enabled (e.g., using Azure
Protect (NIST CSF) option enabled, it should be denied. Low
Policy on deny mode).
[Storage.C99]

Assurance (COSO) Verify only authorized Storage Accounts have the static Create a storage account with a static website hosting
website hosting option enabled (e.g., using Azure Policy High Storage.FC2 - Medium
Detect (NIST CSF) option enabled, it should be detected.
on audit mode).

Protect primary data against loss [Storage.CO5]

Feature Threat(s) CVSS-weighted
Type Control Testing Effort
Class(es) and Impact Priority
Directive (COSO) [Storage.C10, assured by Storage.C11] Request the mechanism used to ensure versioning on Storage.T7 (Low)
Enable versioning on blobs holding primary data Medium Storage.FC2 Low
Protect (NIST CSF) blobs holding primary data, and its records Storage.T40 (Low)
Assurance (COSO) [Storage.C11] Remove versioning from a blob holding primary data, it
Verify blobs holding primary data are versioned High Storage.FC2 - Low
Detect (NIST CSF) should be detected
Request the mechanism used to ensure snapshots to
Directive (COSO) [Storage.C12, assured by Storage.C13] Storage.T7 (Low)
Enable snapshots to Azure Files holding primary data Azure Files on blobs holding primary data and its Medium Storage.FC2 Low
Protect (NIST CSF) Storage.T40 (Low)
records
[Storage.C13]
Assurance (COSO) Verify Azure Files have snapshots configured as an Remove snapshots from an Azure Files account holding
High Storage.FC2 - Low
Detect (NIST CSF) alternative to the versioning. primary data, it should be detected

Storage.T7 (High)
[Storage.C14] Request the mechanism used to backup primary data in Storage.T17 (Low)
Directive (COSO) Backup primary data in a location which have different Storage.FC2
a location which have different security authority, its High Storage.T18 (Medium) Medium
Recover (NIST CSF) security authority (ref 1, ref 2) Storage.FC3
records of execution, and records of restoration testing Storage.T19 (Medium)
Storage.T20 (Medium)
[Storage.C52] Storage.T7 (Medium)
Directive (COSO) Ensure corporate backup policies are implemented for Request the backup policies for DFS, its review process, Storage.T9 (Medium)
the blob, file shares, queues, tables, and DFS, including Low Storage.FC2 Medium
Protect (NIST CSF) and its review records. Storage.T12 (Medium)
regular testing. Storage.T43 (Medium)
[Storage.C53]
Maintain a list of objects with cross-tenant or Storage Request the list of authorized objects used to allow Storage.T5 (Very Low)
Directive (COSO) Storage.FC2
Accounts without private endpoint replication (any cross-tenant replication/any Storage Accounts, its Low Storage.T13 (Very Low) Medium
Identify (NIST CSF) Storage.FC9
storage account) enabled. review process, and its review records. Storage.T42 (Very Low)

[Storage.C54, depends on Storage.C53, assured by Storage.C55] Request 1) the mechanism ensuring any replication Storage.T5 (High)
Directive (COSO) Ensure cross-tenant replication/any Storage Accounts Storage.FC2
allows only authorized Storage Accounts, 2) its records High Storage.T13 (High) Medium
Protect (NIST CSF) are allowed only for specific Storage Accounts. Storage.FC9
of execution for all new blobs. Storage.T42 (High)
[Storage.C77]
Directive (COSO) Maintain a list of authorized Azure Storage redundancy Request the list of authorized Azure Storage
Low Storage.FC1 Storage.T14 (Very Low) Low
Identify (NIST CSF) options. redundancy, its review process, and its review records.
[Storage.C78, depends on Storage.C77, assured by Storage.C80]
Directive (COSO) Request 1) the mechanism ensuring only Azure Storage High Storage.FC1 Storage.T14 (Very Low) Very Low
Ensure authorized Azure Storage redundancy is set for
Protect (NIST CSF) redundancy for Storage Accounts are in use, 2) its

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 87 / 135
records of execution for all new Storage Accounts, and
authorized Storage Accounts.
3) plan to move any older Storage Accounts
[Storage.C79, depends on Storage.C77]

Preventative (COSO) Ensure only authorized Azure Storage redundancy is set Create a blob with unauthorized Azure Storage Very
for authorized Storage Accounts (e.g., using Azure Policy Storage.FC1 Storage.T14 (Very Low) Low
Protect (NIST CSF) redundancy for Azure Storage, it should be denied. Low
in deny mode).
[Storage.C80]

Assurance (COSO) Verify only authorized Azure Storage redundancy is set Configure a storage account with an unauthorized
for authorized Storage Accounts (e.g., using Azure Policy High Storage.FC1 - Very Low
Detect (NIST CSF) redundancy setting, it should be detected.
on audit mode).
[Storage.C116]
Directive (COSO) Maintain a list of authorized storage and corresponding Request the list of authorized Storage Accounts locks Very Storage.FC1 Storage.T4 (Very Low)
Very High
Identify (NIST CSF) account locks (e.g., to prevent deletions). settings, its review process, and its review records. Low Storage.FC2 Storage.T5 (Very Low)

[Storage.C117, depends on Storage.C116, assured by Storage.C118] Request 1) the mechanism ensuring only authorized
Directive (COSO) Lock storage account to prevent accidental or malicious Storage Accounts have locks disabled, 2) its records of Very Storage.FC1 Storage.T4 (High)
deletion or configuration changes and ensure only Very High
Protect (NIST CSF) execution for all new Storage Accounts locks, and 3) Low Storage.FC2 Storage.T5 (High)
authorized Storage Accounts have the lock disabled. plan to move any older Storage Accounts
[Storage.C118]

Assurance (COSO) Verify the creation/update of Storage Accounts lock and Very Storage.FC1
corresponding settings (e.g., using activity logs Delete a storage account lock, it should be detected. - Very High
Detect (NIST CSF) Low Storage.FC2
"localized Value": "Delete management locks").
[Storage.C138, depends on Storage.C139]
Monitor for unauthorized storage account deletions
Detective (COSO) (e.g., using activity log Delete a storage account, it should be detected Medium Storage.FC1 Storage.T4 (Medium) Medium
Detect (NIST CSF) Microsoft.Storage/storageAccounts/delete operation in
operationName.value).
[Storage.C139]

Directive (COSO) Maintain a list of authorized storage account deletions. Request the list of authorized storage account deletions,
The process for creating this list should ensure the Low Storage.FC1 Storage.T4 (Very Low) Medium
Identify (NIST CSF) its review process, and its review records.
storage account is not in use.

Enable soft-delete on containers, blobs, and file shares [Storage.CO6]

Feature Threat(s) CVSS-weighted
Type Control Testing Effort
Class(es) and Impact Priority
[Storage.C15] Storage.T7 (Very Low)
For each storage account (or type of data), define the For each storage account, request the minimum
Directive (COSO) Storage.T9 (Very Low)
minimum retention of container and blob from the retention of container and blob from the deletion, its Low Storage.FC2 Medium
Identify (NIST CSF) Storage.T12 (Very Low)
deletion (e.g., 7 days) review process, and its review records
Storage.T39 (Very Low)
[Storage.C16, depends on Storage.C15, assured by Storage.C18]
Directive (COSO) Request 1) the mechanism ensuring Storage Accounts Low Storage.FC2 Storage.T7 (Very Low) Very Low
Ensure Storage Accounts have soft-delete for the blob
Protect (NIST CSF) have soft-delete for the blob enabled for at least the Storage.T9 (Very Low)
enabled for at least the defined minimum retention defined minimum retention, 2) its records of execution Storage.T12 (Very Low)
for all new Storage Accounts, and 3) plan to move any

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 88 / 135
older Storage Accounts
[Storage.C17, depends on Storage.C15]

Preventative (COSO) Prevent the creation of Storage Accounts without soft- Create a storage account without soft-delete for the
delete for the blob option (e.g., by using an Azure Policy High Storage.FC2 Storage.T9 (High) Medium
Protect (NIST CSF) blob, it should be denied
in deny mode).
[Storage.C18]
Assurance (COSO) Verify all Storage Accounts have soft-delete for the blob Create a storage account without soft-delete for the
Low Storage.FC2 - Very Low
Detect (NIST CSF) enabled (e.g., by using an Azure Policy in audit mode). blob option, it should be detected.

Request 1) the mechanism ensuring Storage Accounts Storage.T7 (Very Low)

Storage.T7 (Very Low)

Request 1) the mechanism ensuring Storage Accounts
[Storage.C37, assured by Storage.C39] Storage.T9 (Very Low)
Directive (COSO) Ensure Storage Accounts have soft-delete for the blob have soft-delete for the blob enabled, 2) its records of Storage.FC2
High Storage.T12 (Very Low) Medium
Protect (NIST CSF) enabled execution for all new Storage Accounts, and 3) plan to Storage.FC6
Storage.T25 (Low)
move any older Storage Accounts
Storage.T39 (Very Low)
[Storage.C38]
Prevent the creation of Storage Accounts without soft- Storage.T9 (High)
Preventative (COSO) delete for the blob option (e.g., by using an Azure Policy Create a storage account without soft-delete for the Storage.FC2
High Storage.T25 (Low) Medium
Protect (NIST CSF) "Microsoft.storage/storageaccounts/deleteRetentionPoli blob, it should be denied Storage.FC6
Storage.T39 (Very Low)
cy" in deny mode).
[Storage.C39]
Assurance (COSO) Verify all Storage Accounts have soft-delete for the blob Create a storage account without soft-delete for the Storage.FC2
Low - Medium
Detect (NIST CSF) enabled blob option, it should be detected. Storage.FC6

Storage.T7 (Very Low)

Request 1) the mechanism ensuring Storage Accounts
[Storage.C40, assured by Storage.C42] Storage.T9 (Very Low)
Directive (COSO) Ensure Storage Accounts have soft-delete for the have soft-delete for the container enabled, 2) its records Storage.FC2
Medium Storage.T12 (Very Low) Low
Protect (NIST CSF) container enabled of execution for all new Storage Accounts, and 3) plan to Storage.FC6
Storage.T25 (Low)
move any older Storage Accounts
Storage.T39 (Very Low)
[Storage.C41, depends on Storage.C37]
Prevent the creation of Storage Accounts without soft- Storage.T9 (High)
Preventative (COSO) Create a storage account without soft-delete for the Storage.FC2
delete for the container option (e.g.,by using an Azure High Storage.T25 (Low) Medium
Protect (NIST CSF) container, it should be denied. Storage.FC6
Policy in deny mode). Storage.T39 (Low)
[Storage.C42]
Assurance (COSO) Verify Storage Accounts without soft-delete for the Create a storage account without soft-delete for the Storage.FC2
Low - Low
Detect (NIST CSF) container are not configured. container option, it should be detected. Storage.FC6

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 89 / 135
[Storage.C61] Request the list of authorized blobs and containers with Storage.T5 (Very Low)
Directive (COSO) Maintain a list of authorized blobs and containers with Storage.FC1
public access level set to anonymous, its review process, Low Storage.T37 (Very Low) High
Identify (NIST CSF) public access level set to anonymous; ideally, none Storage.FC2
and its review records. Storage.T50 (Very Low)
Directive (COSO) Request 1) the mechanism ensuring only authorized Storage.FC1
[Storage.C62, depends on Storage.C61, assured by Storage.C65] Storage.T5 (Medium)
Protect (NIST CSF) Ensure the anonymous access level is set only for blob/container are anonymously accessed, 2) its records Storage.FC2
High Storage.T37 (Medium) Medium
authorized blobs/containers. of execution for all new Storage Accounts, and 3) plan to
Storage.T50 (Very Low)
move any older Storage Accounts
[Storage.C63, depends on Storage.C61]
Ensure only authorized blob and containers are Storage.T5 (Medium)
Preventative (COSO) Create a blob or a container anonymously accessible, it Very Storage.FC1
anonymously accessed (e.g., using Azure Policy in deny Storage.T37 (Medium) High
Protect (NIST CSF) should be denied. Low Storage.FC2
mode). Storage.T50 (Very Low)
[Storage.C64]
Monitor the creation/update of blobs and containers Storage.T5 (Medium)
Detective (COSO) Create a blob or a container anonymously accessible, it Storage.FC1
that are anonymously accessed (e.g., using Azure Low Storage.T37 (Medium) Medium
Detect (NIST CSF) should be detected. Storage.FC2
Automations). Storage.T50 (Very Low)
[Storage.C65]

Assurance (COSO) Verify only authorized blobs or containers are Create 1) a blob or 2) a container anonymously Storage.FC1
anonymously accessible (e.g., using Azure Policy on High - Medium
Detect (NIST CSF) accessible, it should be detected. Storage.FC2
audit mode).
[Storage.C89] For each file share, request the minimum retention High Storage.FC3 Storage.T18 (Very Low) Medium
Directive (COSO) For each file share, define the minimum retention of from the deletion, its review process, and its review Storage.T19 (Very Low)
Identify (NIST CSF) container and blob from the deletion (e.g., 7 days) records Storage.T20 (Very Low)
Directive (COSO) Request 1) the mechanism ensuring file shares have
[Storage.C90, depends on Storage.C89, assured by Storage.C92] Storage.T18 (Medium)
Protect (NIST CSF) Ensure file shares have soft-delete enabled for at least soft-delete enabled for at least the defined minimum
Low Storage.FC3 Storage.T19 (Very Low) Medium
the defined minimum retention retention, 2) its records of execution for all new file
Storage.T20 (Very Low)
shares, and 3) plan to move any older file shares
[Storage.C91, depends on Storage.C89] High Storage.FC3 Storage.T18 (Medium) Low
Preventative (COSO) Prevent the creation of file shares without soft-delete Create a file share without soft-delete, it should be
Storage.T19 (Very Low)
Protect (NIST CSF) (e.g., by using an Azure Policy in deny mode). denied
Storage.T20 (Very Low)
[Storage.C92]
Assurance (COSO) Verify all file shares have soft-delete (e.g., by using an Create a file share without soft-delete, it should be
Low Storage.FC3 - Medium
Detect (NIST CSF) Azure Policy in audit mode). detected.

Enable hierarchical namespace in storage account, only when required [Storage.CO7]

Feature Threat(s) CVSS-weighted
Type Control Testing Effort
Class(es) and Impact Priority
[Storage.C22] Storage.T6 (Very Low)
Directive (COSO) Maintain a list of authorized Storage Accounts with the Request the list of authorized {resources}, its review
Medium Storage.FC2 Storage.T7 (Very Low) Low
Identify (NIST CSF) hierarchical namespace (DFS) option enabled. process, and its review records
Storage.T40 (Very Low)
[Storage.C23, depends on Storage.C22, assured by Storage.C24]
Directive (COSO) Request 1) the mechanism ensuring only authorized Medium Storage.FC2 Storage.T6 (Low) Low
Ensure only authorized Storage Accounts with the
Protect (NIST CSF) Storage Accounts with hierarchical namespace (DFS) Storage.T7 (Low)

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 90 / 135
option enabled are configured, 2) its records of execution
for all new Storage Accounts with hierarchical namespace
hierarchical namespace (DFS) option enabled are
(DFS) option enabled and 3) plan to move any older Storage.T40 (Low)
configured
Storage Accounts with the hierarchical namespace (DFS)
option enabled.
[Storage.C24]

Assurance (COSO) Verify Storage Accounts with the hierarchical namespace Create a storage account with the hierarchical
(DFS) option enabled are not configured (e.g., by using an Medium Storage.FC2 - Low
Detect (NIST CSF) namespace (DFS) option enabled, it should be detected
Azure Policy {"isHnsEnabled": "true"} in audit mode)

Enforce encryption-in-transit [Storage.CO8]

Feature Threat(s) CVSS-weighted
Type Control Testing Effort
Class(es) and Impact Priority
[Storage.C71]

Directive (COSO) Maintain a list of authorized encryption in transit Request the list of authorized encryption in transit Very Storage.FC1 Storage.T11 (Very Low)
methods with the desired assignment to Storage Very High
Identify (NIST CSF) methods, its review process, and its review records. Low Storage.FC3 Storage.T21 (Very Low)
Accounts. Ideally, minimum TLS 1.2.
[Storage.C73, depends on Storage.C72, assured by Storage.C76]
Ensure authorized encryption in transit methods with Request 1) the mechanism ensuring only encryption in
Directive (COSO) desired assignment is set for authorized Storage transit methods with the desired assignment is in use, Storage.FC1 Storage.T11 (High)
Low Very High
Protect (NIST CSF) Accounts and clients performing checks against the 2) its records of execution for all new Storage Accounts, Storage.FC3 Storage.T21 (Medium)
certificate exposed by Storage Accounts. and 3) plan to move any older Storage Accounts
[Storage.C74, depends on Storage.C72]

Preventative (COSO) Ensure Storage Accounts have authorized encryption in Create a blob with unauthorized encryption in transit Storage.FC1 Storage.T11 (Very High)
transit methods configured (e.g., using Azure Policy in Medium Very High
Protect (NIST CSF) methods for Azure Storage, it should be denied. Storage.FC3 Storage.T21 (Medium)
deny mode).
[Storage.C75]
Monitor the creation/update usage encryption in transit
Detective (COSO) methods with desired assignment is set for authorized Configure a storage account with unauthorized Storage.FC1 Storage.T11 (Medium)
Storage Accounts (e.g., using activity logs on Low Medium
Detect (NIST CSF) encryption in transit settings, it should be detected. Storage.FC3 Storage.T21 (Medium)
properties.supportsHttpsTrafficOnly scope
"supportsHttpsTrafficOnly").
[Storage.C76]

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 91 / 135
Request 1) the mechanism ensuring only authorized
[Storage.C105, depends on Storage.C104, assured by Storage.C108]
Directive (COSO) Ensure only authorized Azure Files NFS/SMB 2.1 have NFS/SMB 2.1 Azure Files have encryption disabled, 2) its
High Storage.FC3 Storage.T21 (Low) Low
Protect (NIST CSF) encryption disabled. records of execution for all new NFS/SMB 2.1 Azure
Files, and 3) a plan to move any older Storage Accounts
[Storage.C106, depends on Storage.C104]

Preventative (COSO) Prevent unauthorized Azure Files NFS/SMB 2.1 from Create a storage account with encryption disabled, it
having encryption disabled (e.g., using Azure Policy in High Storage.FC3 Storage.T21 (Low) Low
Protect (NIST CSF) should be denied.
deny mode).
[Storage.C107]
Monitor the creation/update of Azure Files NFS/SMB 2.1
Detective (COSO) and corresponding settings (e.g., using activity logs on Create a storage account with encryption disabled, it
High Storage.FC3 Storage.T21 (Low) Low
Detect (NIST CSF) properties.supportsHttpsTrafficOnly scope should be detected.
"supportsHttpsTrafficOnly").
[Storage.C108]

Assurance (COSO) Verify only authorized Azure Files NFS/SMB 2.1 and Create a storage account with encryption disabled, it
corresponding settings are configured (e.g., using Azure High Storage.FC3 - Low
Detect (NIST CSF) should be detected.
Policy on audit mode).
[Storage.C129]
Maintain a list of authorized Azure Files security Request the list of authorized Azure Files security
Directive (COSO)
protocol settings (ideally maximum security SMB 3.1.1, protocol settings, its review process, and its review Low Storage.FC3 Storage.T21 (Very Low) Low
Identify (NIST CSF)
Kerberos, AES-256 only). records.

Request 1) the mechanism ensuring only Azure Files

[Storage.C130, depends on Storage.C129, assured by Storage.C132]
Ensure authorized Azure Files options with security security protocol settings for Storage Accounts are in
Directive (COSO)
protocol settings are set for authorized Storage use, 2) its records of execution for all new Storage High Storage.FC3 Storage.T21 (Very Low) Low
Protect (NIST CSF)
Accounts. Accounts, and 3) the plan to move any older Storage
Accounts.
[Storage.C131]
Ensure only authorized Azure Files options with security
protocol settings are set for authorized Storage
Preventative (COSO) Accounts (e.g., using Azure Policy in deny mode utilizing Create a file with unauthorized Azure Files security Very
Storage.FC3 Storage.T21 (Very Low) Medium
Protect (NIST CSF) "protocolSettings"/"smb"{"versions","authenticationMet protocol settings for Azure Storage, it should be denied. Low
hods","kerberosTicketEncryption","channelEncryption":}
fields).
[Storage.C132]
Verify only authorized Azure Files options with security
protocol options are set for authorized Storage
Accounts (e.g., using Azure Policy on audit mode Configure a storage account with an unauthorized
Assurance (COSO)
utilizing Azure Files security protocol settings model, it should High Storage.FC3 - Low
Detect (NIST CSF)
"protocolSettings"/"smb"{"versions","authenticationMet be detected.
hods","kerberosTicketEncryption","channelEncryption":}
fields).
[Storage.C133]

Directive (COSO) Refrain from mixing or downgrading security options Check the configuration of Storage Accounts (Azure
for the Azure Files shared inside the same Azure Medium Storage.FC3 Storage.T21 (Very Low) Low
Protect (NIST CSF) Files).
Storage account.

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 92 / 135
Connect via private endpoint [Storage.CO9]
Feature Threat(s) CVSS-weighted
Type Control Testing Effort
Class(es) and Impact Priority
Storage.T1 (Very Low)
Storage.T3 (Very Low)
Storage.T5 (Very Low)
Storage.T9 (Very Low)
Storage.T11 (Very Low)
Storage.FC1 Storage.T12 (Very Low)
[Storage.C43]
Maintain a list of authorized VNETs for the blob, file Storage.FC2 Storage.T15 (Very Low)
Directive (COSO) Request the list of authorized IPs, its review process, and
shares, queues, tables, DFS, NFS, and SFTP access via a Low Storage.FC3 Storage.T29 (Very Low) High
Identify (NIST CSF) its review records.
private endpoint. Storage.FC4 Storage.T31 (Very Low)
Storage.FC7 Storage.T32 (Very Low)
Storage.T37 (Very Low)
Storage.T43 (Very Low)
Storage.T47 (Very Low)
Storage.T50 (Very Low)
Storage.T55 (Very Low)
Storage.T1 (Very High)
Storage.T3 (Very High)
Storage.T5 (Low)
Storage.T9 (Very Low)
Storage.T11 (Medium)
Storage.FC1 Storage.T12 (Medium)
[Storage.C44, depends on Storage.C43, assured by Storage.C46] Storage.FC2 Storage.T15 (Low)
Directive (COSO) Ensure only authorized VNETs are configured for the Request 1) the mechanism ensuring PE is in place 2) its
High Storage.FC3 Storage.T29 (Low) High
Protect (NIST CSF) blob, file shares, queues, tables, DFS, NFS, and SFTP. records of execution for all new DFS.
Storage.FC4 Storage.T31 (Low)
Storage.FC7 Storage.T32 (Low)
Storage.T37 (Low)
Storage.T43 (Very Low)
Storage.T47 (Very High)
Storage.T50 (Very Low)
Storage.T55 (Very High)
[Storage.C45, depends on Storage.C43]
Preventative (COSO) Configure an unauthorized VNET on a storage account, it High Storage.FC1 Storage.T1 (Very High) High
Prevent the use of unauthorized VNETs by the storage
Protect (NIST CSF) should be denied. Storage.FC2 Storage.T3 (Very High)
account (e.g., by using Azure Policy). Storage.FC3 Storage.T5 (Low)
Storage.FC4 Storage.T9 (Very Low)
Storage.FC7 Storage.T11 (Medium)
Storage.T12 (Medium)
Storage.T15 (Medium)
Storage.T29 (Medium)

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 93 / 135
Storage.T31 (Low)
Storage.T32 (Low)
Storage.T37 (Low)
Storage.T43 (Very Low)
Storage.T47 (Very High)
Storage.T50 (Low)
Storage.T55 (Very High)
Storage.FC1
[Storage.C46] Storage.FC2
Assurance (COSO) Verify the unauthorized VNETs cannot access the storage Configure an unauthorized VNET on a storage account, it
Low Storage.FC3 - High
Detect (NIST CSF) account. should be detected.
Storage.FC4
Storage.FC7

Restrict access to the endpoints (where possible disable public endpoint) [Storage.CO10]

Feature Threat(s) CVSS-weighted

Type Control Testing Effort
Class(es) and Impact Priority
Storage.T1 (Very Low)
Storage.T3 (Very Low)
Storage.T5 (Very Low)
Storage.T9 (Very Low)
Storage.T11 (Very Low)
Storage.FC1 Storage.T12 (Very Low)
[Storage.C48]
Maintain a list of authorized IPs and/or resource Storage.FC2 Storage.T15 (Very Low)
Directive (COSO) Request the list of authorized IP or resource instance
instance rules authorized to access each storage Medium Storage.FC3 Storage.T29 (Very Low) High
Identify (NIST CSF) rules, its review process, and its review records.
account Storage.FC4 Storage.T31 (Very Low)
Storage.FC7 Storage.T32 (Very Low)
Storage.T37 (Very Low)
Storage.T43 (Very Low)
Storage.T47 (Very Low)
Storage.T50 (Very Low)
Storage.T55 (Very Low)
[Storage.C49, depends on Storage.C48, assured by Storage.C51]
Directive (COSO) Request 1) the mechanism ensuring firewall rules are in Medium Storage.FC1 Storage.T1 (High) High
Block requests from unauthorized IPs, including trusted
Protect (NIST CSF) place 2) its records of execution for all new Storage Storage.FC2 Storage.T3 (High)
services, logging, and metrics read access (ref). Accounts, and 3) plan to move any older Storage Storage.FC3 Storage.T5 (High)
Accounts Storage.FC4 Storage.T9 (Very Low)
Storage.FC7 Storage.T11 (Medium)
Storage.T12 (Medium)
Storage.T15 (Medium)
Storage.T29 (Medium)
Storage.T31 (Low)
Storage.T32 (Low)
Storage.T37 (High)

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 94 / 135
Storage.T43 (Very Low)
Storage.T47 (High)
Storage.T50 (Low)
Storage.T55 (High)
Storage.T1 (Very Low)
Storage.T15 (Medium)
Storage.FC1
Storage.T29 (Medium)
[Storage.C50, depends on Storage.C48] Storage.FC2
Preventative (COSO) Prevent access from unauthorized IPs by allowing only Storage.T31 (Low)
Access from unauthorized IPs, it should be denied. Low Storage.FC3 Medium
Protect (NIST CSF) authorized IPs using Azure Storage firewall. Storage.T32 (Low)
Storage.FC4
Storage.T47 (Very Low)
Storage.FC7
Storage.T50 (Low)
Storage.T55 (Very Low)
Storage.FC1
[Storage.C51] Storage.FC2
Assurance (COSO) Verify access is possible only from the allowed list (e.g., Connect to storage from not allowed IP, it should be
Low Storage.FC3 - High
Detect (NIST CSF) by using Azure Policy) detected.
Storage.FC4
Storage.FC7
[Storage.C96] Request the list of authorized Storage Accounts with the
Directive (COSO) Maintain a list of authorized Storage Accounts that have static website hosting option enabled, its review Low Storage.FC2 Storage.T22 (Very Low) High
Identify (NIST CSF) the static website hosting option enabled; ideally, none process, and its review records.

Enable monitoring & notifications for Storage Accounts [Storage.CO11]

Feature Threat(s) CVSS-weighted
Type Control Testing Effort
Class(es) and Impact Priority
Storage.T7 (Very Low)
[Storage.C32]
Directive (COSO) Maintain a list of directories and blobs that do not need Request the list of directories and blobs for immutable Storage.T8 (Very Low)
Medium Storage.FC2 High
Identify (NIST CSF) modification after uploading to DFS/blob. blobs functionality. Storage.T9 (Very Low)
Storage.T12 (Very Low)
[Storage.C56]
Directive (COSO) Request the design of diagnostic settings for Storage Low Storage.FC1 Storage.T3 (Very Low) Very High
Define a diagnostic settings design for Storage
Identify (NIST CSF) Accounts, its review process, and their review records. Storage.FC2 Storage.T5 (Very Low)
Accounts, including destination (tenant/subscription), Storage.FC7 Storage.T7 (Very Low)
categories (ideally all), and rotation. Resource logs are Storage.FC8 Storage.T8 (Very Low)
not collected by default. You must create a diagnostic Storage.FC9 Storage.T9 (Very Low)
setting for each Azure resource to send its resource logs Storage.T10 (Very Low)
to a Log Analytics workspace to use with Azure Monitor Storage.T13 (Very Low)
Logs, Azure Event Hubs to forward outside of Azure, or Storage.T37 (Very Low)
to Azure Storage for archiving. Storage.T41 (Very Low)
Storage.T42 (Very Low)
Storage.T43 (Very Low)
Storage.T51 (Very Low)
Storage.T53 (Very Low)

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 95 / 135
Storage.T55 (Very Low)
Storage.T3 (Very Low)
Storage.T5 (Very Low)
Storage.T7 (Very Low)
Storage.T8 (Very Low)
Storage.T9 (Very Low)
Request 1) the mechanism ensuring only authorized Storage.FC2
[Storage.C57, depends on Storage.C56, assured by Storage.C60] Storage.T10 (Medium)
Directive (COSO) Ensure diagnostic settings are configured properly to diagnostic settings destinations are enabled, 2) its Storage.FC7
Low Storage.T13 (Very Low) Medium
Protect (NIST CSF) the architecture design. records of execution for all new Storage Accounts, and Storage.FC8
Storage.T37 (Very Low)
3) plan to move any older Storage Accounts Storage.FC9
Storage.T41 (Very Low)
Storage.T42 (Very Low)
Storage.T43 (Very Low)
Storage.T53 (Very Low)
Storage.T55 (Very Low)
Storage.T3 (Very Low)
Storage.T5 (Very Low)
Storage.T7 (Very Low)
Storage.T8 (Very Low)
Storage.T9 (Very Low)
Storage.FC1
Storage.T10 (High)
[Storage.C58, depends on Storage.C56] Storage.FC2
Preventative (COSO) Ensure Storage Accounts have diagnostic settings Create a storage account with unauhorized diagnostic Very Storage.T13 (Very Low)
Storage.FC7 High
Protect (NIST CSF) configured according to the design. settings options, it should be denied. Low Storage.T37 (Very Low)
Storage.FC8
Storage.T41 (Very Low)
Storage.FC9
Storage.T42 (Very Low)
Storage.T43 (Very Low)
Storage.T51 (Very Low)
Storage.T53 (Very Low)
Storage.T55 (Very Low)
[Storage.C59]
Monitor the creation/update of Storage Accounts with Storage.T10 (Medium)
Detective (COSO) diagnostic settings enabled according to the design Configure a storage account with unauthorized Storage.FC2 Storage.T41 (Very Low)
Low Medium
Detect (NIST CSF) (e.g., using activity logs on operation name - create or diagnostic settings options, it should be detected. Storage.FC8 Storage.T53 (Very Low)
update resource diagnostic setting) Storage.T55 (Very Low)
[Storage.C60]
Verify Storage Accounts have diagnostic settings Storage.FC2
Assurance (COSO) configured according to the design (e.g., using Azure Create a storage account with unauthorized diagnostic Storage.FC7
High - Medium
Detect (NIST CSF) Policy "Configure diagnostic settings for Storage settings options, it should be detected. Storage.FC8
Accounts to Log Analytics workspace" in audit mode). Storage.FC9
[Storage.C88]

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 96 / 135
Enforce encryption-at-rest [Storage.CO12]
Feature Threat(s) CVSS-weighted
Type Control Testing Effort
Class(es) and Impact Priority
[Storage.C66] Request the list of authorized keys for Azure Storage
Directive (COSO) Maintain a list of authorized keys for Azure Storage encryption with desired assignment and rotation policy, Low Storage.FC1 Storage.T14 (Very Low) Medium
Identify (NIST CSF) encryption with desired assignment and rotation policy. its review process, and its review records.
Request 1) the mechanism ensuring only authorized keys
[Storage.C67, depends on Storage.C66, assured by Storage.C71]
Ensure authorized keys for Azure Storage encryption for Azure Storage encryption with desired assignment
Directive (COSO)
with desired assignment and rotation policy are set for and rotation policy are in use, 2) its records of execution High Storage.FC1 Storage.T14 (Medium) Low
Protect (NIST CSF)
authorized Storage Accounts. for all new Storage Accounts, and 3) the plan to move
any older Storage Accounts
[Storage.C68]
Directive (COSO) Protect Key Vault store custom encryption keys using Key Check settings for Key Vault. High Storage.FC1 Storage.T38 (Medium) Low
Protect (NIST CSF) Vault ThreatModel.
[Storage.C69, depends on Storage.C66]

Preventative (COSO) Ensure only authorized keys for Azure Storage Create a blob with unauthorized keys for Azure Storage Very
encryption with desired assignment and rotation policy Storage.FC1 Storage.T14 (Medium) Medium
Protect (NIST CSF) encryption, it should be denied. Low
are assigned (e.g., using Azure Policy in deny mode).
[Storage.C70]
Monitor the creation/update and usage of keys for Azure
Detective (COSO) Storage encryption with desired assignment and rotation Configure a storage account with an unauthorized
Low Storage.FC1 Storage.T14 (Medium) Medium
Detect (NIST CSF) policy assignment (e.g., using monitoring) logs on encryption setting, it should be detected.
authentication type in AccountKey).
[Storage.C134] Request 1) the list of blobs created before October 20,
Directive (COSO) Maintain a list of blobs created before October 20, 2017 Storage.FC1 Storage.T46 (Very Low)
20017, 2) its records of execution for rewriting, and 3) Low Low
Identify (NIST CSF) (ideally none). Storage.FC2 Storage.T49 (Very Low)
the plan to rewriting.
[Storage.C135]

Directive (COSO) Rewrite every blob created before October 20, 2017. You Storage.FC1 Storage.T46 (Medium)
can force encryption to occur immediately by Check the creation date. High High
Protect (NIST CSF) Storage.FC2 Storage.T49 (Very High)
downloading and re-uploading the blob

Apply cloud adoption, strategy, and governance [Storage.CO13]

Feature Threat(s) CVSS-weighted
Type Control Testing Effort
Class(es) and Impact Priority
Storage.FC1 Storage.T13 (Very Low)
Directive (COSO) [Storage.C81] Request the list of authorized Azure Storage regions, its
Maintain a list of authorized Azure Storage regions. Low Storage.FC2 Storage.T14 (Very Low) High
Identify (NIST CSF) review process, and its review records.
Storage.FC9 Storage.T49 (Very Low)
[Storage.C82, depends on Storage.C81, assured by Storage.C84]
Directive (COSO) Request 1) the mechanism ensuring only Azure Storage High Storage.FC1 Storage.T13 (Very Low) Low
Ensure the authorized Azure Storage region is set for
Protect (NIST CSF) authorized regions for Storage Accounts are in use, 2) its Storage.FC2 Storage.T14 (Very Low)
authorized Storage Accounts. records of execution for all new Storage Accounts, and 3) Storage.FC9 Storage.T49 (Very Low)

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 97 / 135
plan to move any older Storage Accounts
[Storage.C83, depends on Storage.C81]
Ensure only authorized Azure Storage region is set for Storage.FC1 Storage.T13 (Medium)
Preventative (COSO) Create a storage account with unauthorized Azure Very
authorized Storage Accounts (e.g., using Azure Policy in Storage.FC2 Storage.T14 (Very Low) Medium
Protect (NIST CSF) Storage region, it should be denied. Low
deny mode). Storage.FC9 Storage.T49 (Very Low)
[Storage.C84]
Verify only the authorized Azure Storage region is set for Storage.FC1
Assurance (COSO) Create a storage account with an unauthorized Azure
authorized Storage Accounts (e.g., using Azure Policy on High Storage.FC2 - Low
Detect (NIST CSF) Storage region, it should be detected.
audit mode). Storage.FC9

Govern Cross-Origin resource sharing [Storage.CO14]

Feature Threat(s) CVSS-weighted
Type Control Testing Effort
Class(es) and Impact Priority
[Storage.C100] Request the list of authorized Storage Accounts with
Directive (COSO) Maintain a list of authorized CORS per endpoint trusted CORS trusted origins and corresponding settings, its Low Storage.FC1 Storage.T26 (Very Low) Very Low
Identify (NIST CSF) origins and corresponding settings. review process, and its review records.
Request 1) the mechanism ensuring only authorized
[Storage.C101, depends on Storage.C100, assured by Storage.C103] Storage Accounts have CORS trusted origins and
Directive (COSO) Ensure only authorized Storage Accounts have CORS corresponding settings configured, 2) its records of High Storage.FC1 Storage.T26 (Low) Very Low
Protect (NIST CSF) trusted origins and corresponding settings configured. execution for all new Storage Accounts, and 3) plan to
move any older Storage Accounts
[Storage.C102, depends on Storage.C100]

Preventative (COSO) Prevent unauthorized Storage Accounts from using CORS Create a storage account with untrusted CORS settings, it
trusted origins and corresponding settings (e.g., using High Storage.FC1 Storage.T26 (Very Low) Very Low
Protect (NIST CSF) should be denied.
Azure Policy in deny mode).
[Storage.C103]

Assurance (COSO) Verify only authorized CORS trusted origins and Create a storage account with untrusted CORS settings, it
corresponding settings are configured (e.g., using Azure High Storage.FC1 - Very Low
Detect (NIST CSF) should be detected.
Policy on audit mode).

Scan input/output objects for malware [Storage.CO15]

Feature Threat(s) CVSS-weighted
Type Control Testing Effort
Class(es) and Impact Priority
[Storage.C119]

Preventative (COSO) If the storage account is used as an input or the output

of a process, scan the objects for malware (e.g., using Inject a malware test file, it should be denied. High Storage.FC2 Storage.T12 (Very High) Medium
Detect (NIST CSF)
VirusScan)

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 98 / 135
Manage Azure Storage local users [Storage.CO16]
Feature Threat(s) CVSS-weighted
Type Control Testing Effort
Class(es) and Impact Priority
[Storage.C121]
Directive (COSO) Integrate the access to SSH in the IAM Operating Model, Request the IAM Operating Model for SSH access. Low Storage.FC11 Storage.T44 (Very Low) Low
Protect (NIST CSF) including monitoring of creating local SSH users.
[Storage.C122]
Directive (COSO) Use SSH private key credentials for authentication as the Check the usage of local passwords in SFTP-enabled
Medium Storage.FC11 Storage.T44 (Very Low) Low
Protect (NIST CSF) preferred authentication method. accounts.

Monitor Storage Accounts with Azure Defender for Storage and Mirosoft Purview [Storage.CO17]

Feature Threat(s) CVSS-weighted

Type Control Testing Effort
Class(es) and Impact Priority
[Storage.C109, assured by Storage.C111] Storage.T3 (Very Low)
Ensure Storage Accounts have Azure Defender for Request 1) the mechanism ensuring Storage Accounts
Storage.FC2 Storage.T5 (Very Low)
Directive (COSO) Storage account enabled" with "Ensure Storage have Azure Defender for storage account enabled, 2) its
High Storage.FC3 Storage.T20 (Very Low) Low
Protect (NIST CSF) Accounts have Azure Defender for storage account records of execution for all new Storage Accounts, and
Storage.FC7 Storage.T37 (Very Low)
enabled 3) plan to move any older Storage Accounts
Storage.T55 (Very Low)
[Storage.C110]
Prevent the creation of Storage Accounts without Azure Storage.T3 (Very Low)
Defender for storage account option (e.g., by using an Storage.FC2 Storage.T5 (Low)
Preventative (COSO) Create a storage account without Azure Defender for
Azure Policy High Storage.FC3 Storage.T20 (Medium) Low
Protect (NIST CSF) storage account, it should be denied
"Microsoft.storage/storageaccounts/deleteRetentionPoli Storage.FC7 Storage.T37 (Very Low)
cy" in deny mode). Storage.T55 (Very Low)

[Storage.C111] Storage.FC2
Assurance (COSO) Verify all Storage Accounts have Azure Defender for Create a storage account without Azure Defender for
Low Storage.FC3 - Low
Detect (NIST CSF) storage account enabled storage, it should be detected.
Storage.FC7
[Storage.C112] Request 1) the mechanism ensuring Storage Accounts Storage.FC1 Storage.T20 (Medium)
Directive (COSO) Periodically scan files with third-party virus scanners have been scanned by a third-party tool and 2) its Medium Storage.FC2 Storage.T35 (Medium) Medium
Protect (NIST CSF) that don't only rely on hashes records of execution for all Storage Accounts. Storage.FC3 Storage.T36 (Medium)
Storage.T3 (Very Low)
Request 1) the mechanism ensuring Storage Accounts
Storage.FC2 Storage.T5 (Low)
Directive (COSO) [Storage.C113, assured by Storage.C115] have Azure Defender for storage account enabled, 2) its
Ensure Storage Accounts have Azure Defender enabled Medium Storage.FC3 Storage.T20 (Medium) Medium
Protect (NIST CSF) records of execution for all new Storage Accounts, and
Storage.FC7 Storage.T37 (Low)
3) plan to move any older Storage Accounts
Storage.T55 (Very Low)
Storage.T3 (Very Low)
[Storage.C114, depends on Storage.C109] Storage.FC2 Storage.T5 (Very Low)
Preventative (COSO) Prevent the creation of Storage Accounts without Azure Create a storage account without Azure Defender for
High Storage.FC3 Storage.T20 (Very Low) Low
Protect (NIST CSF) Defender (e.g., by using an Azure Policy in deny mode). storage account, it should be denied.
Storage.FC7 Storage.T37 (Very Low)
Storage.T55 (Very Low)

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 99 / 135
[Storage.C115] Storage.FC2
Assurance (COSO) Verify Storage Accounts without Azure Defender for Create a storage account without Azure Defender for
Low Storage.FC3 - Medium
Detect (NIST CSF) storage account enabled. storage account, it should be detected.
Storage.FC7

Use StorageV2 accounts only [Storage.CO18]

Feature Threat(s) CVSS-weighted
Type Control Testing Effort
Class(es) and Impact Priority
[Storage.C128] Storage.T5 (Medium)
Azure classic Storage Accounts (Azure ASM resources) Storage.T20 (Very Low)
should not be in use. Azure Cloud Services (classic) will Request 1) the mechanism ensuring only authorized
Storage.T21 (Very Low)
be retired on 31 August 2024. Classic Storage Accounts Storage Accounts have been deployed using ASM Storage.FC1
Directive (COSO) Very Storage.T22 (Very Low)
depend on Azure Cloud Services (classic). They will be model, 2) its records of execution for all new Storage Storage.FC2 Very High
Protect (NIST CSF) Low Storage.T35 (Very Low)
retired on the same date. Before that date, you'll need Accounts, and 3) the plan to move any older Storage Storage.FC3
Storage.T36 (Very Low)
to migrate them to Azure Resource Manager, which has Accounts
Storage.T40 (Very Low)
new security features. Storage.T46 (Very High)
[Storage.C140]
Monitor for creation of classic Azure Storage accounts
(e.g., using activity log
Detective (COSO) Microsoft.Storage/storageAccounts/writeoperation in Create a BlobStorage and Storagev1 account type, it
Medium Storage.FC1 Storage.T46 (Medium) Medium
Detect (NIST CSF) operationName.value where properties.requestbody should be detected.
contains either \"kind\":\"Storage\" or
"kind\":\"BlobStorage\").
Request 1) the mechanism ensuring Storage Accounts
Directive (COSO) [Storage.C141, assured by Storage.C143] have soft-delete for the blob enabled, 2) its records of
Ensure Storage Accounts are created as StorageV2 High Storage.FC1 Storage.T46 (Very Low) High
Protect (NIST CSF) execution for all new Storage Accounts, and 3) plan to
move any older Storage Accounts
[Storage.C142, depends on Storage.C141]
Preventative (COSO) Prevent the creation of Storage Accounts that are not Create a storage account type of BlobStorage or
High Storage.FC1 Storage.T46 (Very High) High
Protect (NIST CSF) StorageV2 (e.g.,by using an Azure Policy in deny mode). Storagev1, it should be denied.
[Storage.C143]
Assurance (COSO) Verify all Storage Accounts are of account kind Create a storage account type of BlobStorage or
Low Storage.FC1 - High
Detect (NIST CSF) StorageV2 Storagev1, it should be detected.

Restrict the use of Shared Key authorization [Storage.CO19]

Feature Threat(s) CVSS-weighted
Type Control Testing Effort
Class(es) and Impact Priority
[Storage.C86, assured by Storage.C87]
Preventative (COSO) Try to connect using storage account access keys - Medium Storage.FC1 Storage.T1 (Very High) Very High
Protect (NIST CSF) Block the usage of the storage account access key Expected error "key based authentication is not Storage.FC2 Storage.T2 (Very High)
whenever possible. permitted on this storage account", it should be denied. Storage.FC3 Storage.T3 (Very High)
Storage.FC4 Storage.T9 (Very Low)

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 100 / 135
Storage.T12 (Very High)
Storage.T16 (Very Low)
Storage.T17 (Low)
Storage.FC5
Storage.T27 (Low)
Storage.FC7
Storage.T28 (Low)
Storage.T47 (Very High)
Storage.T55 (Very High)
[Storage.C136, depends on Storage.C137]
Monitor for unauthorized storage account access key
Detective (COSO) rotations (e.g., using activity log Rotate a storage account access key, it should be
Medium Storage.FC7 Storage.T2 (Medium) Medium
Detect (NIST CSF) Microsoft.Storage/storageAccounts/regenerateKey/acti detected
on operation in operationName.value).
[Storage.C137]
Directive (COSO) Maintain a list of authorized storage account access key Request the list of authorized storage account access
Low Storage.FC7 Storage.T2 (Very Low) Medium
Identify (NIST CSF) rotations. key rotations, its review process, and its review records.

Enforce good coding practice [Storage.CO20]

Feature Threat(s) CVSS-weighted
Type Control Testing Effort
Class(es) and Impact Priority
[Storage.C127]
The latest (or latest -1 with no security vulnerabilities) non-
preview version of storage software libraries must be used
Directive (COSO) for Storage Accounts. Running on older versions could Check the software libraries that are in use for Storage Very Storage.FC1 Storage.T21 (Low)
Low
Protect (NIST CSF) mean you are not using the latest security classes. Usage of Accounts. High Storage.FC3 Storage.T45 (Medium)
such old classes and types can make your application
vulnerable.

Restrict the use of Azure Blob Storage SFTP [Storage.CO21]

Feature Threat(s) CVSS-weighted
Type Control Testing Effort
Class(es) and Impact Priority
[Storage.C120] Request the list of authorized Azure Storage SFTP
Directive (COSO) Maintain a list of authorized Azure Storage SFTP options with encryption settings, authentication
options with authentication methods and permission Low Storage.FC11 Storage.T44 (Very Low) Medium
Identify (NIST CSF) methods, and permission model, its review process,
models. and its review records.
Request 1) the mechanism ensuring only Azure Storage
[Storage.C123, depends on Storage.C120, assured by Storage.C125] SFTP options with encryption settings, authentication
Directive (COSO) Ensure authorized Azure Storage SFTP options with methods, and permission model for Storage Accounts
authentication methods and permission models are set High Storage.FC11 Storage.T44 (Very Low) Low
Protect (NIST CSF) are in use, 2) its records of execution for all new
for authorized Storage Accounts. Storage Accounts, and 3) the plan to move any older
Storage Accounts.

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 101 / 135
[Storage.C124, depends on Storage.C120]
Ensure only authorized Azure Storage SFTP options Create a blob with unauthorized Azure Storage SFTP
Preventative (COSO) with authentication methods and permission models options, encryption settings, authentication methods, Very
Storage.FC11 Storage.T44 (Very Low) Medium
Protect (NIST CSF) are set for authorized Storage Accounts (e.g., using and permission model for Azure Storage, it should be Low
Azure Policy in deny mode). denied.
[Storage.C125]
Verify only authorized Azure Storage SFTP options with Configure a storage account with unauthorized SFTP
Assurance (COSO) authentication methodsand permission models are set options, encryption settings, authentication methods, High Storage.FC11 - Low
Detect (NIST CSF) for authorized Storage Accounts (e.g., using Azure and permission models, it should be detected.
Policy on audit mode).
[Storage.C126]
Directive (COSO) Do not mix the different services like Azure Files, SFTP, Check the configuration of Storage Accounts. Medium Storage.FC3 Storage.T15 (Medium) Medium
Protect (NIST CSF) and NFS inside the same Azure Storage account.

Govern the use of Shared Keys and SAS tokens [Storage.CO22]

Feature Threat(s) CVSS-weighted
Type Control Testing Effort
Class(es) and Impact Priority
Storage.T3 (Very Low)
Storage.FC1 Storage.T9 (Very Low)
[Storage.C26]
Directive (COSO) Maintain a list of authorized IPs to use SAS tokens and Request the list of authorized IPs to use SAS tokens, its Very Storage.FC2 Storage.T12 (Very Low)
High
Identify (NIST CSF) their authorized time window. review process, and its review records. Low Storage.FC4 Storage.T31 (Very Low)
Storage.FC7 Storage.T32 (Very Low)
Storage.T47 (Very Low)
Storage.T3 (Low)
Storage.FC1 Storage.T9 (Very Low)
[Storage.C27, depends on Storage.C26, assured by Storage.C28] Request 1) the mechanism ensuring SAS tokens allow
Directive (COSO) Ensure SAS tokens allow only authorized IPs, using the Very Storage.FC2 Storage.T12 (Medium)
only authorized IPs, 2) its records of execution for all new Medium
Protect (NIST CSF) sourceIP field and enforcing HTTPS. Low Storage.FC4 Storage.T31 (Low)
SAS tokens, and 3) plan to move any older SAS tokens.
Storage.FC7 Storage.T32 (Low)
Storage.T47 (Low)
Storage.FC1
Assurance (COSO) [Storage.C28] Deploy a SAS token with an unauthorized IP, it should be Storage.FC2
Verify SAS tokens only allow authorized IPs. Medium - Medium
Detect (NIST CSF) detected Storage.FC4
Storage.FC7
[Storage.C85]
Corrective (COSO) Check if (Azure) Active Directory is used for assigning Medium Storage.FC1 Storage.T1 (Low) Medium
Protect (NIST CSF) Integrate the access to blob, file shares, queues, tables, permissions. Storage.FC2 Storage.T2 (Low)
and DFS via SAS token (generated from account key Storage.FC3 Storage.T3 (Low)
and/or user delegation key) in the IAM Operating Model, Storage.FC4 Storage.T16 (Very Low)
ideally prioritizing AD as the preferred method. Storage.FC5 Storage.T17 (Low)
Storage.FC7 Storage.T18 (Low)
Storage.T19 (Low)
Storage.T27 (Low)
Storage.T28 (Low)

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 102 / 135
Storage.T47 (Low)
Storage.T55 (Low)
[Storage.C93]
Maintain a revocation plan for any SAS or storage
account access keys issued to clients based on
requirements. If a SAS is compromised, you must revoke Storage.T1 (Very Low)
that SAS as soon as possible. To revoke a user delegation Storage.FC1 Storage.T2 (Very Low)
SAS, revoke the user delegation key to invalidate all Request the authorized revocation plan for any SAS or
Directive (COSO) Storage.FC2 Storage.T3 (Very Low)
signatures associated with that key. To revoke a service storage account access keys, its review process, and its Low Low
Identify (NIST CSF) Storage.FC3 Storage.T16 (Very Low)
SAS that is associated with a stored access policy, you review records.
Storage.FC7 Storage.T47 (Very Low)
can delete the stored access policy, rename the policy, or Storage.T55 (Very Low)
change its expiry time to a time that is in the past (ref).
To revoke a storage account access key, regenerate the
key.
Request 1) the mechanism ensuring revocation plan in Storage.FC1 Storage.T1 (Very Low)
place for any SAS or storage account access keys is in Storage.FC2 Storage.T2 (Very Low)
[Storage.C94, depends on Storage.C93, assured by Storage.C95]
Directive (COSO) Ensure the revocation plan is in place for any SAS or use, 2) its records of testing for all new Storage Accounts, Storage.FC3 Storage.T3 (Very Low)
High Low
Protect (NIST CSF) storage account access key. and 3) plan to move any older Storage Accounts Storage.FC7 Storage.T16 (Very Low)
Storage.T47 (Very Low)
Storage.T55 (Very Low)
Check test executions. For any unsuccessful attempts, it Storage.FC1
[Storage.C95]
Assurance (COSO) Verify the revocation plan is in place for any SAS or should be detected Storage.FC2
High - Low
Detect (NIST CSF) storage account access key. Storage.FC3
Storage.FC7

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 103 / 135
Appendixes
Appendix 1 - Prioritized list for control implementation
Feature Threat(s) CVSS-weighted
Type Control Testing Effort
Class(es) and Impact Priority
Storage.T1 (Medium)
Storage.T2 (Medium)
Storage.T4 (Medium)
Storage.T5 (Medium)
Storage.T6 (Medium)
Storage.T7 (Medium)
Storage.T8 (Medium)
Storage.T9 (Medium)
Storage.T12 (Medium)
Storage.T23 (High)
Storage.FC1 Storage.T24 (Medium)
Storage.FC10 Storage.T25 (Medium)
[Storage.C1] Storage.FC2 Storage.T31 (Low)
Limit the access to the IAM actions required to perform Request the list of authorized IAM principals with the
Directive (COSO) Storage.FC4 Storage.T32 (Low)
attacks using Azure IAM, following the IAM Operating permissions required to launch attacks, its review Medium Very High
Protect (NIST CSF) Storage.FC6 Storage.T33 (Medium)
Model and using the Azure IAM ThreatModel. process, and its review records.
Storage.FC7 Storage.T34 (Medium)
Storage.FC8 Storage.T37 (Medium)
Storage.FC9 Storage.T38 (Medium)
Storage.T39 (Medium)
Storage.T40 (Medium)
Storage.T41 (Medium)
Storage.T42 (Medium)
Storage.T43 (Very Low)
Storage.T47 (Medium)
Storage.T51 (Very Low)
Storage.T53 (Medium)
Storage.T54 (Medium)
Storage.T57 (Low)
[Storage.C25]
Limit access to delete Storage Accounts, via Azure
Preventative (COSO) Policy and IAM. Do not ever delete a sensitive storage Try to delete a storage account, it should be denied Medium Storage.FC2 Storage.T5 (Very High) Very High
Protect (NIST CSF) account (e.g., just delete all data) to ensure storage
account FQDN cannot be used as a source of an attack.
[Storage.C29]
Directive (COSO) Request the list of authorized Groups, its review Very Storage.FC1 Storage.T6 (Very Low) Very High
Identify (NIST CSF) Maintain a list of authorized Groups to use in process, and its review records. Low Storage.FC2 Storage.T7 (Very Low)
permissions for Data Lake Storage Gen2. Storage.FC3 Storage.T8 (Very Low)

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 104 / 135
Storage.T9 (Very Low)
Storage.T15 (Very Low)
Storage.T34 (Very Low)
Storage.T47 (Very Low)
[Storage.C34]
Maintain an architecture of Data Lake Storage Gen2 Storage.T6 (Very Low)
ACL vs. IAM based on requirements. Microsoft Storage.T7 (Very Low)
Directive (COSO) recommends using Azure Active Directory (Azure AD) Storage.FC2 Storage.T9 (Very Low)
Check documentation. Medium Very High
Identify (NIST CSF) to authorize requests against blob and queue data, if Storage.FC3 Storage.T15 (Very Low)
possible, instead of Shared Key. Azure AD provides Storage.T33 (Very Low)
superior security and ease of use over Shared Key. Storage.T34 (Very Low)

Storage.T6 (Very Low)

Directive (COSO) Maintain a list of authorized storage and Request the list of authorized Storage Accounts locks Very Storage.FC1 Storage.T4 (Very Low)
corresponding account locks (e.g., to prevent Very High
Identify (NIST CSF) settings, its review process, and its review records. Low Storage.FC2 Storage.T5 (Very Low)
deletions).
[Storage.C117, depends on Storage.C116, assured by Storage.C118]
Lock storage account to prevent accidental or Request 1) the mechanism ensuring only authorized
Directive (COSO) malicious deletion or configuration changes and Storage Accounts have locks disabled, 2) its records of Very Storage.FC1 Storage.T4 (High)
Very High
Protect (NIST CSF) ensure only authorized Storage Accounts have the lock execution for all new Storage Accounts locks, and 3) Low Storage.FC2 Storage.T5 (High)
disabled. plan to move any older Storage Accounts
[Storage.C118]

Assurance (COSO) Verify the creation/update of Storage Accounts lock Very Storage.FC1
and corresponding settings (e.g., using activity logs Delete a storage account lock, it should be detected. - Very High
Detect (NIST CSF) Low Storage.FC2
"localized Value": "Delete management locks").
[Storage.C72]

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 105 / 135
[Storage.C74, depends on Storage.C72]

Assurance (COSO) Verify only authorized encryption in transit methods Configure a storage account with unauthorized Storage.FC1
with desired assignment is set for authorized Storage Low - Very High
Detect (NIST CSF) encryption in transit settings, it should be detected. Storage.FC3
Accounts (e.g., using Azure Policy on audit mode).
Storage.T3 (Very Low)
Storage.T5 (Very Low)
Storage.T7 (Very Low)
[Storage.C56]
Define a diagnostic settings design for Storage Storage.T8 (Very Low)
Accounts, including destination (tenant/subscription), Storage.T9 (Very Low)
Storage.FC1
categories (ideally all), and rotation. Resource logs are Storage.T10 (Very Low)
Storage.FC2
Directive (COSO) not collected by default. You must create a diagnostic Request the design of diagnostic settings for Storage Storage.T13 (Very Low)
Low Storage.FC7 Very High
Identify (NIST CSF) setting for each Azure resource to send its resource Accounts, its review process, and their review records. Storage.T37 (Very Low)
Storage.FC8
logs to a Log Analytics workspace to use with Azure Storage.T41 (Very Low)
Storage.FC9
Monitor Logs, Azure Event Hubs to forward outside of Storage.T42 (Very Low)
Azure, or to Azure Storage for archiving. Storage.T43 (Very Low)
Storage.T51 (Very Low)
Storage.T53 (Very Low)
Storage.T55 (Very Low)
[Storage.C128] Storage.T5 (Medium)
Azure classic Storage Accounts (Azure ASM resources) Storage.T20 (Very Low)
should not be in use. Azure Cloud Services (classic) will Request 1) the mechanism ensuring only authorized
Storage.T21 (Very Low)
be retired on 31 August 2024. Classic Storage Accounts Storage Accounts have been deployed using ASM Storage.FC1
Directive (COSO) Very Storage.T22 (Very Low)
depend on Azure Cloud Services (classic). They will be model, 2) its records of execution for all new Storage Storage.FC2 Very High
Protect (NIST CSF) Low Storage.T35 (Very Low)
retired on the same date. Before that date, you'll need Accounts, and 3) the plan to move any older Storage Storage.FC3
Storage.T36 (Very Low)
to migrate them to Azure Resource Manager, which has Accounts
Storage.T40 (Very Low)
new security features. Storage.T46 (Very High)
Storage.T1 (Very High)
Storage.T2 (Very High)
Storage.T3 (Very High)
Storage.FC1
Storage.T9 (Very Low)
Try to connect using storage account access keys - Storage.FC2
[Storage.C86, assured by Storage.C87] Storage.T12 (Very High)
Preventative (COSO) Block the usage of the storage account access key Expected error "key based authentication is not Storage.FC3
Medium Storage.T16 (Very Low) Very High
Protect (NIST CSF) whenever possible. permitted on this storage account", it should be Storage.FC4
Storage.T17 (Low)
denied. Storage.FC5
Storage.T27 (Low)
Storage.FC7
Storage.T28 (Low)
Storage.T47 (Very High)
Storage.T55 (Very High)
[Storage.C30, depends on Storage.C29]
Directive (COSO) Review ACLs against usage of individual users' service Low Storage.FC1 Storage.T7 (High) High
Ensure only authorized Groups are used in ACLs for
Protect (NIST CSF) principal. Storage.FC2 Storage.T9 (Very Low)
Data Lake Storage Gen2. Storage.FC3 Storage.T15 (Low)

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 106 / 135
Storage.T34 (Very Low)
Storage.T47 (Very Low)
Storage.T6 (Very Low)
[Storage.C36, depends on Storage.C35]
Integrate the access to directories and objects using Storage.T7 (High)
Directive (COSO) Request the IAM Operating Model for the directories Storage.FC2
Azure attribute-based access control (Azure ABAC) in Low Storage.T9 (High) High
Protect (NIST CSF) and objects. Storage.FC3
the IAM Operating Model. Storage.T15 (Very Low)
Storage.T33 (Low)
Medium Storage.FC2 Storage.T8 (Very High) High
Directive (COSO) [Storage.C33, depends on Storage.C32] Ask for immutable policies. Check the usage of
Use immutable blobs with proper policy. Storage.T9 (Very High)
Protect (NIST CSF) immutable blobs.
Storage.T12 (Medium)
[Storage.C145]
Preview control . Prevent the creation of Storage
Preventative (COSO) Accounts with allowedCopyScope not set to either AAD Create a storage account with allowedCopyScope not
Low Storage.FC1 Storage.T57 (Very High) High
Protect (NIST CSF) or PrivateLink (e.g. by using an Azure Policy in specified (defaults to null), it should be denied
deny/append mode)
Storage.T7 (High)
[Storage.C5, depends on Storage.C1] Storage.T9 (Very Low)
Directive (COSO) Integrate the access to files and directories via ACL in Request the IAM Operating Model for access to files Storage.FC2
Low Storage.T31 (Low) High
Protect (NIST CSF) the IAM Operating Model and directories via ACL Storage.FC4
Storage.T32 (Low)
Storage.T33 (Very Low)
[Storage.C98, depends on Storage.C96]

Preventative (COSO) Prevent unauthorized Storage Accounts from having Create a storage account with a static website hosting Very
the static website hosting option enabled (e.g., using Storage.FC2 Storage.T22 (Medium) High
Protect (NIST CSF) option enabled, it should be denied. Low
Azure Policy on deny mode).
[Storage.C61] Request the list of authorized blobs and containers Low Storage.T5 (Very Low) High
Directive (COSO) Maintain a list of authorized blobs and containers with Storage.FC1
with public access level set to anonymous, its review Storage.T37 (Very Low)
Identify (NIST CSF) public access level set to anonymous; ideally, none Storage.FC2
process, and its review records. Storage.T50 (Very Low)
[Storage.C63, depends on Storage.C61]
Ensure only authorized blob and containers are Storage.T5 (Medium)
Preventative (COSO) Create a blob or a container anonymously accessible, it Very Storage.FC1
anonymously accessed (e.g., using Azure Policy in deny Storage.T37 (Medium) High
Protect (NIST CSF) should be denied. Low Storage.FC2
mode). Storage.T50 (Very Low)
[Storage.C43]
Directive (COSO) Request the list of authorized IPs, its review process, Low Storage.FC1 Storage.T1 (Very Low) High
Identify (NIST CSF) Maintain a list of authorized VNETs for the blob, file and its review records. Storage.FC2 Storage.T3 (Very Low)
shares, queues, tables, DFS, NFS, and SFTP access via a Storage.FC3 Storage.T5 (Very Low)
private endpoint. Storage.FC4 Storage.T9 (Very Low)
Storage.FC7 Storage.T11 (Very Low)
Storage.T12 (Very Low)
Storage.T15 (Very Low)
Storage.T29 (Very Low)
Storage.T31 (Very Low)
Storage.T32 (Very Low)
Storage.T37 (Very Low)
Storage.T43 (Very Low)
Storage.T47 (Very Low)

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 107 / 135
Storage.T50 (Very Low)
Storage.T55 (Very Low)
Storage.T1 (Very High)
Storage.T3 (Very High)
Storage.T5 (Low)
Storage.T9 (Very Low)
Storage.T11 (Medium)
Storage.FC1 Storage.T12 (Medium)
[Storage.C44, depends on Storage.C43, assured by Storage.C46] Storage.FC2 Storage.T15 (Low)
Directive (COSO) Ensure only authorized VNETs are configured for the Request 1) the mechanism ensuring PE is in place 2) its
High Storage.FC3 Storage.T29 (Low) High
Protect (NIST CSF) blob, file shares, queues, tables, DFS, NFS, and SFTP. records of execution for all new DFS.
Storage.FC4 Storage.T31 (Low)
Storage.FC7 Storage.T32 (Low)
Storage.T37 (Low)
Storage.T43 (Very Low)
Storage.T47 (Very High)
Storage.T50 (Very Low)
Storage.T55 (Very High)
Storage.T1 (Very High)
Storage.T3 (Very High)
Storage.T5 (Low)
Storage.T9 (Very Low)
Storage.T11 (Medium)
Storage.FC1 Storage.T12 (Medium)
[Storage.C45, depends on Storage.C43] Storage.FC2 Storage.T15 (Medium)
Preventative (COSO) Prevent the use of unauthorized VNETs by the storage Configure an unauthorized VNET on a storage account,
High Storage.FC3 Storage.T29 (Medium) High
Protect (NIST CSF) account (e.g., by using Azure Policy). it should be denied.
Storage.FC4 Storage.T31 (Low)
Storage.FC7 Storage.T32 (Low)
Storage.T37 (Low)
Storage.T43 (Very Low)
Storage.T47 (Very High)
Storage.T50 (Low)
Storage.T55 (Very High)
Storage.FC1
[Storage.C46] Storage.FC2
Assurance (COSO) Verify the unauthorized VNETs cannot access the Configure an unauthorized VNET on a storage account,
Low Storage.FC3 - High
Detect (NIST CSF) storage account. it should be detected.
Storage.FC4
Storage.FC7
[Storage.C48]
Directive (COSO) Request the list of authorized IP or resource instance Medium Storage.FC1 Storage.T1 (Very Low) High
Maintain a list of authorized IPs and/or resource
Identify (NIST CSF) rules, its review process, and its review records. Storage.FC2 Storage.T3 (Very Low)
instance rules authorized to access each storage Storage.FC3 Storage.T5 (Very Low)
account Storage.FC4 Storage.T9 (Very Low)
Storage.FC7 Storage.T11 (Very Low)
Storage.T12 (Very Low)
Storage.T15 (Very Low)

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 108 / 135
Storage.T29 (Very Low)
Storage.T31 (Very Low)
Storage.T32 (Very Low)
Storage.T37 (Very Low)
Storage.T43 (Very Low)
Storage.T47 (Very Low)
Storage.T50 (Very Low)
Storage.T55 (Very Low)
Medium Storage.T1 (High) High
Storage.T3 (High)
Storage.T5 (High)
Storage.T9 (Very Low)
Storage.T11 (Medium)
Storage.FC1 Storage.T12 (Medium)
Request 1) the mechanism ensuring firewall rules are
[Storage.C49, depends on Storage.C48, assured by Storage.C51] Storage.FC2 Storage.T15 (Medium)
Directive (COSO) Block requests from unauthorized IPs, including in place 2) its records of execution for all new Storage
Storage.FC3 Storage.T29 (Medium)
Protect (NIST CSF) trusted services, logging, and metrics read access (ref). Accounts, and 3) plan to move any older Storage
Storage.FC4 Storage.T31 (Low)
Accounts
Storage.FC7 Storage.T32 (Low)
Storage.T37 (High)
Storage.T43 (Very Low)
Storage.T47 (High)
Storage.T50 (Low)
Storage.T55 (High)
Storage.FC1
[Storage.C51] Storage.FC2
Assurance (COSO) Verify access is possible only from the allowed list (e.g., Connect to storage from not allowed IP, it should be
Low Storage.FC3 - High
Detect (NIST CSF) by using Azure Policy) detected.
Storage.FC4
Storage.FC7
[Storage.C96]
Maintain a list of authorized Storage Accounts that Request the list of authorized Storage Accounts with
Directive (COSO)
have the static website hosting option enabled; ideally, the static website hosting option enabled, its review Low Storage.FC2 Storage.T22 (Very Low) High
Identify (NIST CSF)
none process, and its review records.

Storage.T7 (Very Low)

[Storage.C32]
Directive (COSO) Maintain a list of directories and blobs that do not Request the list of directories and blobs for immutable Storage.T8 (Very Low)
Medium Storage.FC2 High
Identify (NIST CSF) need modification after uploading to DFS/blob. blobs functionality. Storage.T9 (Very Low)
Storage.T12 (Very Low)
[Storage.C58, depends on Storage.C56]
Preventative (COSO) Create a storage account with unauhorized diagnostic Very Storage.FC1 Storage.T3 (Very Low) High
Protect (NIST CSF) Ensure Storage Accounts have diagnostic settings settings options, it should be denied. Low Storage.FC2 Storage.T5 (Very Low)
configured according to the design. Storage.FC7 Storage.T7 (Very Low)
Storage.FC8 Storage.T8 (Very Low)
Storage.FC9 Storage.T9 (Very Low)
Storage.T10 (High)
Storage.T13 (Very Low)
Storage.T37 (Very Low)

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 109 / 135
Storage.T41 (Very Low)
Storage.T42 (Very Low)
Storage.T43 (Very Low)
Storage.T51 (Very Low)
Storage.T53 (Very Low)
Storage.T55 (Very Low)
[Storage.C135]

Directive (COSO) Rewrite every blob created before October 20, 2017. Storage.FC1 Storage.T46 (Medium)
You can force encryption to occur immediately by Check the creation date. High High
Protect (NIST CSF) Storage.FC2 Storage.T49 (Very High)
downloading and re-uploading the blob
Storage.FC1 Storage.T13 (Very Low)
Directive (COSO) [Storage.C81] Request the list of authorized Azure Storage regions, its
Maintain a list of authorized Azure Storage regions. Low Storage.FC2 Storage.T14 (Very Low) High
Identify (NIST CSF) review process, and its review records.
Storage.FC9 Storage.T49 (Very Low)
Request 1) the mechanism ensuring Storage Accounts
Directive (COSO) [Storage.C141, assured by Storage.C143] have soft-delete for the blob enabled, 2) its records of
Ensure Storage Accounts are created as StorageV2 High Storage.FC1 Storage.T46 (Very Low) High
Protect (NIST CSF) execution for all new Storage Accounts, and 3) plan to
move any older Storage Accounts
[Storage.C142, depends on Storage.C141]
Preventative (COSO) Prevent the creation of Storage Accounts that are not Create a storage account type of BlobStorage or
High Storage.FC1 Storage.T46 (Very High) High
Protect (NIST CSF) StorageV2 (e.g.,by using an Azure Policy in deny mode). Storagev1, it should be denied.
[Storage.C143]
Assurance (COSO) Verify all Storage Accounts are of account kind Create a storage account type of BlobStorage or
Low Storage.FC1 - High
Detect (NIST CSF) StorageV2 Storagev1, it should be detected.

Storage.T3 (Very Low)

Storage.FC1 Storage.T9 (Very Low)
[Storage.C26]
Directive (COSO) Maintain a list of authorized IPs to use SAS tokens and Request the list of authorized IPs to use SAS tokens, its Very Storage.FC2 Storage.T12 (Very Low)
High
Identify (NIST CSF) their authorized time window. review process, and its review records. Low Storage.FC4 Storage.T31 (Very Low)
Storage.FC7 Storage.T32 (Very Low)
Storage.T47 (Very Low)
Storage.T7 (High)
[Storage.C31, depends on Storage.C29] Storage.FC1 Storage.T9 (Very Low)
Directive (COSO) Use name convention for Groups adding Suffix R/RW Review Group-Name convention. Medium Storage.FC2 Storage.T15 (Low) Medium
Protect (NIST CSF) and Entity to be used. Storage.FC3 Storage.T34 (Very Low)
Storage.T47 (Very Low)
Storage.T1 (Very Low)
Storage.T2 (Very Low)
[Storage.C47] Storage.FC1
Directive (COSO) Use Managed Identity as the method for accessing Check if underlying services are not using SAS or other Storage.T3 (Very Low)
Medium Storage.FC2 Medium
Protect (NIST CSF) Azure Storage services. password methods to authenticate. Storage.T12 (High)
Storage.FC7
Storage.T47 (Medium)
Storage.T55 (Medium)
[Storage.C2]
Directive (COSO) Request the list of all Storage Accounts you control, High Storage.FC2 Storage.T5 (Very Low) Medium
Identify (NIST CSF) Define an ACL or IAM authentication for every storage define their authorized data classification, and identify Storage.FC3 Storage.T15 (Very Low)
account. Ideally, use Azure AD only and multiple whether the data is primary and the mechanism and Storage.T33 (Very Low)
Storage Accounts if fine-grained access is required.

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 110 / 135
Storage.T34 (Very Low)
records to ensure the accuracy of those metadata Storage.T37 (Very Low)
Storage.T54 (Very Low)
[Storage.C3, depends on Storage.C2]

Detective (COSO) Use a data discovery tool (e.g., Microsoft Purview) to Upload a higher classification data in a storage
control that no sensitive data is stored in an Medium Storage.FC2 Storage.T5 (Medium) Medium
Detect (NIST CSF) account, it should be detected.
unauthorized storage account
[Storage.C146]
Preview control . Monitor that Storage Accounts with
Detective (COSO) allowedCopyScope set to null / not specified are not Create a storage account with allowedCopyScope set to
created (e.g. using activity logs on "Create/Update Low Storage.FC1 Storage.T57 (Medium) Medium
Detect (NIST CSF) null, it should be detected
Storage Account" operation
in ."properties"."requestbody")
[Storage.C6] Request the list of authorized Storage Accounts with Storage.T5 (Very Low)
Directive (COSO) Maintain a list of authorized Storage Accounts with Storage.FC1
allowblobPublicAccess enabled, its review process, and Low Storage.T37 (Very Low) Medium
Identify (NIST CSF) allowblobPublicAccess enabled; ideally, none Storage.FC2
its review records. Storage.T50 (Very Low)
Request 1) the mechanism ensuring only authorized
[Storage.C7, depends on Storage.C6, assured by Storage.C9] Storage.T5 (Medium)
Directive (COSO) Ensure no Storage Accounts have Storage Accounts have allowblobPublicAccess enabled, Storage.FC1
High Storage.T37 (Medium) Medium
Protect (NIST CSF) allowblobPublicAccess enabled, except if authorized. 2) its records of execution for all new Storage Accounts, Storage.FC2
Storage.T50 (Very Low)
and 3) plan to move any older Storage Accounts
[Storage.C8, depends on Storage.C6]
Prevent the creation/update of Storage Accounts with Storage.T5 (Medium)
Preventative (COSO) allowblobPublicAccess enabled (e.g., using Azure Policy Create a storage account with allowblobPublicAccess, it Storage.FC1
High Storage.T37 (Medium) Medium
Protect (NIST CSF) on deny mode - "Storage account public access should should be denied. Storage.FC2
Storage.T50 (Very Low)
be disallowed").
[Storage.C9]

Assurance (COSO) Verify no Storage Accounts have allowblobPublicAccess Create a storage account with allowblobPublicAccess, it Storage.FC1
enabled (e.g., using Azure Policy on audit mode - High - Medium
Detect (NIST CSF) should be detected. Storage.FC2
"Storage account public access should be disallowed").
[Storage.C55]
Verify Storage Accounts with cross-tenant replication
Assurance (COSO) enabled/any Storage Accounts (e.g., using Azure Policy Create a storage account with cross-tenant/any storage Storage.FC2
"Storage Accounts should prevent cross tenant object Low - Medium
Detect (NIST CSF) account option enabled, it should be detected. Storage.FC9
replication" / "allowedCopyScope" parameter in audit
mode.).
Request 1) the mechanism ensuring only authorized High Storage.FC2 Storage.T22 (Medium) Medium
[Storage.C97, depends on Storage.C96, assured by Storage.C99] Storage Accounts have the static website hosting
Directive (COSO) Ensure only authorized Storage Accounts has the static option enabled, 2) its records of execution for all new
Protect (NIST CSF) website hosting option enabled. Storage Accounts, and 3) plan to move any older
Storage Accounts
[Storage.C99]

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 111 / 135
Storage.T7 (High)
[Storage.C14] Request the mechanism used to backup primary data Storage.T17 (Low)
Directive (COSO) Backup primary data in a location which have different Storage.FC2
in a location which have different security authority, its High Storage.T18 (Medium) Medium
Recover (NIST CSF) security authority (ref 1, ref 2) Storage.FC3
records of execution, and records of restoration testing Storage.T19 (Medium)
Storage.T20 (Medium)
Directive (COSO) [Storage.C52] Request the backup policies for DFS, its review process, Storage.T7 (Medium)
Protect (NIST CSF) Ensure corporate backup policies are implemented for and its review records. Storage.T9 (Medium)
the blob, file shares, queues, tables, and DFS, including Low Storage.FC2 Medium
Storage.T12 (Medium)
regular testing. Storage.T43 (Medium)
[Storage.C53]
Maintain a list of objects with cross-tenant or Storage Request the list of authorized objects used to allow Storage.T5 (Very Low)
Directive (COSO) Storage.FC2
Accounts without private endpoint replication (any cross-tenant replication/any Storage Accounts, its Low Storage.T13 (Very Low) Medium
Identify (NIST CSF) Storage.FC9
storage account) enabled. review process, and its review records. Storage.T42 (Very Low)

[Storage.C54, depends on Storage.C53, assured by Storage.C55] Request 1) the mechanism ensuring any replication High Storage.T5 (High) Medium
Directive (COSO) Ensure cross-tenant replication/any Storage Accounts Storage.FC2
allows only authorized Storage Accounts, 2) its records Storage.T13 (High)
Protect (NIST CSF) are allowed only for specific Storage Accounts. Storage.FC9
of execution for all new blobs. Storage.T42 (High)
[Storage.C138, depends on Storage.C139]
Monitor for unauthorized storage account deletions
Detective (COSO) (e.g., using activity log Delete a storage account, it should be detected Medium Storage.FC1 Storage.T4 (Medium) Medium
Detect (NIST CSF) Microsoft.Storage/storageAccounts/delete operation in
operationName.value).
[Storage.C139]

Directive (COSO) Maintain a list of authorized storage account deletions. Request the list of authorized storage account
The process for creating this list should ensure the Low Storage.FC1 Storage.T4 (Very Low) Medium
Identify (NIST CSF) deletions, its review process, and its review records.
storage account is not in use.
Directive (COSO) [Storage.C15] Storage.T7 (Very Low)
For each storage account (or type of data), define the For each storage account, request the minimum
Identify (NIST CSF) Storage.T9 (Very Low)
minimum retention of container and blob from the retention of container and blob from the deletion, its Low Storage.FC2 Medium
Storage.T12 (Very Low)
deletion (e.g., 7 days) review process, and its review records
Storage.T39 (Very Low)
[Storage.C17, depends on Storage.C15]

Preventative (COSO) Prevent the creation of Storage Accounts without soft- Create a storage account without soft-delete for the Storage.T9 (High)
delete for the container option (e.g., by using an Azure High Storage.FC2 Medium
Protect (NIST CSF) container, it should be denied. Storage.T39 (Very Low)
Policy in deny mode).
Storage.T7 (Very Low)
Request 1) the mechanism ensuring Storage Accounts
[Storage.C37, assured by Storage.C39] Storage.T9 (Very Low)
Directive (COSO) Ensure Storage Accounts have soft-delete for the blob have soft-delete for the blob enabled, 2) its records of Storage.FC2
High Storage.T12 (Very Low) Medium
Protect (NIST CSF) enabled execution for all new Storage Accounts, and 3) plan to Storage.FC6
Storage.T25 (Low)
move any older Storage Accounts
Storage.T39 (Very Low)
[Storage.C38]
Preventative (COSO) Create a storage account without soft-delete for the High Storage.FC2 Storage.T9 (High) Medium
Protect (NIST CSF) Prevent the creation of Storage Accounts without soft- blob, it should be denied Storage.FC6 Storage.T25 (Low)

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 112 / 135
delete for the blob option (e.g., by using an Azure
Policy
Storage.T39 (Very Low)
"Microsoft.storage/storageaccounts/deleteRetentionPo
licy" in deny mode).
[Storage.C39]
Assurance (COSO) Verify all Storage Accounts have soft-delete for the blob Create a storage account without soft-delete for the Storage.FC2
Low - Medium
Detect (NIST CSF) enabled blob option, it should be detected. Storage.FC6
[Storage.C41, depends on Storage.C37]
Prevent the creation of Storage Accounts without soft- Storage.T9 (High)
Preventative (COSO) Create a storage account without soft-delete for the Storage.FC2
delete for the container option (e.g.,by using an Azure High Storage.T25 (Low) Medium
Protect (NIST CSF) container, it should be denied. Storage.FC6
Policy in deny mode). Storage.T39 (Low)

Request 1) the mechanism ensuring only authorized

[Storage.C62, depends on Storage.C61, assured by Storage.C65] Storage.T5 (Medium)
Directive (COSO) Ensure the anonymous access level is set only for blob/container are anonymously accessed, 2) its Storage.FC1
High Storage.T37 (Medium) Medium
Protect (NIST CSF) authorized blobs/containers. records of execution for all new Storage Accounts, and Storage.FC2
Storage.T50 (Very Low)
3) plan to move any older Storage Accounts
[Storage.C64]
Monitor the creation/update of blobs and containers Storage.T5 (Medium)
Detective (COSO) Create a blob or a container anonymously accessible, it Storage.FC1
that are anonymously accessed (e.g., using Azure Low Storage.T37 (Medium) Medium
Detect (NIST CSF) should be detected. Storage.FC2
Automations). Storage.T50 (Very Low)
[Storage.C65]

Assurance (COSO) Verify only authorized blobs or containers are Create 1) a blob or 2) a container anonymously Storage.FC1
anonymously accessible (e.g., using Azure Policy on High - Medium
Detect (NIST CSF) accessible, it should be detected. Storage.FC2
audit mode).
[Storage.C89] For each file share, request the minimum retention Storage.T18 (Very Low)
Directive (COSO) For each file share, define the minimum retention of from the deletion, its review process, and its review High Storage.FC3 Storage.T19 (Very Low) Medium
Identify (NIST CSF) container and blob from the deletion (e.g., 7 days) records Storage.T20 (Very Low)
Request 1) the mechanism ensuring file shares have
[Storage.C90, depends on Storage.C89, assured by Storage.C92] Storage.T18 (Medium)
Directive (COSO) Ensure file shares have soft-delete enabled for at least soft-delete enabled for at least the defined minimum
Low Storage.FC3 Storage.T19 (Very Low) Medium
Protect (NIST CSF) the defined minimum retention retention, 2) its records of execution for all new file
Storage.T20 (Very Low)
shares, and 3) plan to move any older file shares
[Storage.C92]
Assurance (COSO) Verify all file shares have soft-delete (e.g., by using an Create a file share without soft-delete, it should be
Low Storage.FC3 - Medium
Detect (NIST CSF) Azure Policy in audit mode). detected.
[Storage.C75]
Monitor the creation/update usage encryption in
Detective (COSO) transit methods with desired assignment is set for Configure a storage account with unauthorized Storage.FC1 Storage.T11 (Medium)
authorized Storage Accounts (e.g., using activity logs on Low Medium
Detect (NIST CSF) encryption in transit settings, it should be detected. Storage.FC3 Storage.T21 (Medium)
properties.supportsHttpsTrafficOnly scope
"supportsHttpsTrafficOnly").
[Storage.C131]
Preventative (COSO) Create a file with unauthorized Azure Files security Very Storage.FC3 Storage.T21 (Very Low) Medium
Ensure only authorized Azure Files options with
Protect (NIST CSF) protocol settings for Azure Storage, it should be Low
security protocol settings are set for authorized denied.
Storage Accounts (e.g., using Azure Policy in deny mode
utilizing

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 113 / 135
"protocolSettings"/"smb"{"versions","authenticationMe
thods","kerberosTicketEncryption","channelEncryption"
:} fields).
Storage.T1 (Very Low)
Storage.T15 (Medium)
Storage.FC1
Storage.T29 (Medium)
[Storage.C50, depends on Storage.C48] Storage.FC2
Preventative (COSO) Prevent access from unauthorized IPs by allowing only Storage.T31 (Low)
Access from unauthorized IPs, it should be denied. Low Storage.FC3 Medium
Protect (NIST CSF) authorized IPs using Azure Storage firewall. Storage.T32 (Low)
Storage.FC4
Storage.T47 (Very Low)
Storage.FC7
Storage.T50 (Low)
Storage.T55 (Very Low)
Storage.T3 (Very Low)
Storage.T5 (Very Low)
Storage.T7 (Very Low)
Storage.T8 (Very Low)
Storage.T9 (Very Low)
Request 1) the mechanism ensuring only authorized Storage.FC2
[Storage.C57, depends on Storage.C56, assured by Storage.C60] Storage.T10 (Medium)
Directive (COSO) Ensure diagnostic settings are configured properly to diagnostic settings destinations are enabled, 2) its Storage.FC7
Low Storage.T13 (Very Low) Medium
Protect (NIST CSF) the architecture design. records of execution for all new Storage Accounts, and Storage.FC8
Storage.T37 (Very Low)
3) plan to move any older Storage Accounts Storage.FC9
Storage.T41 (Very Low)
Storage.T42 (Very Low)
Storage.T43 (Very Low)
Storage.T53 (Very Low)
Storage.T55 (Very Low)
[Storage.C59]
Monitor the creation/update of Storage Accounts with Storage.T10 (Medium)
Detective (COSO) diagnostic settings enabled according to the design Configure a storage account with unauthorized Storage.FC2 Storage.T41 (Very Low)
Low Medium
Detect (NIST CSF) (e.g., using activity logs on operation name - create or diagnostic settings options, it should be detected. Storage.FC8 Storage.T53 (Very Low)
update resource diagnostic setting) Storage.T55 (Very Low)
[Storage.C60]
Verify Storage Accounts have diagnostic settings Storage.FC2
Assurance (COSO) configured according to the design (e.g., using Azure Create a storage account with unauthorized diagnostic Storage.FC7
High - Medium
Detect (NIST CSF) Policy "Configure diagnostic settings for Storage settings options, it should be detected. Storage.FC8
Accounts to Log Analytics workspace" in audit mode). Storage.FC9
[Storage.C66]
Maintain a list of authorized keys for Azure Storage Request the list of authorized keys for Azure Storage
Directive (COSO)
encryption with desired assignment and rotation encryption with desired assignment and rotation Low Storage.FC1 Storage.T14 (Very Low) Medium
Identify (NIST CSF)
policy. policy, its review process, and its review records.
[Storage.C69, depends on Storage.C66]

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 114 / 135
rotation policy assignment (e.g., using monitoring) logs
on authentication type in AccountKey).
[Storage.C83, depends on Storage.C81]
Ensure only authorized Azure Storage region is set for Storage.FC1 Storage.T13 (Medium)
Preventative (COSO) Create a storage account with unauthorized Azure Very
authorized Storage Accounts (e.g., using Azure Policy in Storage.FC2 Storage.T14 (Very Low) Medium
Protect (NIST CSF) Storage region, it should be denied. Low
deny mode). Storage.FC9 Storage.T49 (Very Low)
[Storage.C119]

Preventative (COSO) If the storage account is used as an input or the output

of a process, scan the objects for malware (e.g., using Inject a malware test file, it should be denied. High Storage.FC2 Storage.T12 (Very High) Medium
Detect (NIST CSF)
VirusScan)
[Storage.C112] Request 1) the mechanism ensuring Storage Accounts Storage.FC1 Storage.T20 (Medium)
Directive (COSO) Periodically scan files with third-party virus scanners have been scanned by a third-party tool and 2) its Medium Storage.FC2 Storage.T35 (Medium) Medium
Protect (NIST CSF) that don't only rely on hashes records of execution for all Storage Accounts. Storage.FC3 Storage.T36 (Medium)
Storage.T3 (Very Low)
Request 1) the mechanism ensuring Storage Accounts
Storage.FC2 Storage.T5 (Low)
Directive (COSO) [Storage.C113, assured by Storage.C115] have Azure Defender for storage account enabled, 2)
Ensure Storage Accounts have Azure Defender enabled Medium Storage.FC3 Storage.T20 (Medium) Medium
Protect (NIST CSF) its records of execution for all new Storage Accounts,
Storage.FC7 Storage.T37 (Low)
and 3) plan to move any older Storage Accounts
Storage.T55 (Very Low)
[Storage.C115] Storage.FC2
Assurance (COSO) Verify Storage Accounts without Azure Defender for Create a storage account without Azure Defender for
Low Storage.FC3 - Medium
Detect (NIST CSF) storage account enabled. storage account, it should be detected.
Storage.FC7
[Storage.C140]
Monitor for creation of classic Azure Storage accounts
(e.g., using activity log
Detective (COSO) Microsoft.Storage/storageAccounts/writeoperation in Create a BlobStorage and Storagev1 account type, it
Medium Storage.FC1 Storage.T46 (Medium) Medium
Detect (NIST CSF) operationName.value where properties.requestbody should be detected.
contains either \"kind\":\"Storage\" or
"kind\":\"BlobStorage\").
[Storage.C136, depends on Storage.C137]
Monitor for unauthorized storage account access key
Detective (COSO) rotations (e.g., using activity log Rotate a storage account access key, it should be
Medium Storage.FC7 Storage.T2 (Medium) Medium
Detect (NIST CSF) Microsoft.Storage/storageAccounts/regenerateKey/acti detected
on operation in operationName.value).
[Storage.C137] Request the list of authorized storage account access
Directive (COSO) Maintain a list of authorized storage account access key rotations, its review process, and its review Low Storage.FC7 Storage.T2 (Very Low) Medium
Identify (NIST CSF) key rotations. records.
[Storage.C120] Request the list of authorized Azure Storage SFTP
Directive (COSO) Maintain a list of authorized Azure Storage SFTP options with encryption settings, authentication
options with authentication methods and permission Low Storage.FC11 Storage.T44 (Very Low) Medium
Identify (NIST CSF) methods, and permission model, its review process,
models. and its review records.
[Storage.C124, depends on Storage.C120]
Preventative (COSO) Create a blob with unauthorized Azure Storage SFTP Very Storage.FC11 Storage.T44 (Very Low) Medium
Ensure only authorized Azure Storage SFTP options
Protect (NIST CSF) options, encryption settings, authentication methods, Low
with authentication methods and permission models and permission model for Azure Storage, it should be
are set for authorized Storage Accounts (e.g., using

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 115 / 135
Azure Policy in deny mode). denied.
[Storage.C126]
Directive (COSO) Do not mix the different services like Azure Files, SFTP, Check the configuration of Storage Accounts. Medium Storage.FC3 Storage.T15 (Medium) Medium
Protect (NIST CSF) and NFS inside the same Azure Storage account.
Storage.T3 (Low)
Request 1) the mechanism ensuring SAS tokens allow Storage.FC1 Storage.T9 (Very Low)
[Storage.C27, depends on Storage.C26, assured by Storage.C28]
Directive (COSO) Ensure SAS tokens allow only authorized IPs, using the only authorized IPs, 2) its records of execution for all Very Storage.FC2 Storage.T12 (Medium)
Medium
Protect (NIST CSF) sourceIP field and enforcing HTTPS. new SAS tokens, and 3) plan to move any older SAS Low Storage.FC4 Storage.T31 (Low)
tokens. Storage.FC7 Storage.T32 (Low)
Storage.T47 (Low)
Storage.FC1
Assurance (COSO) [Storage.C28] Deploy a SAS token with an unauthorized IP, it should Storage.FC2
Verify SAS tokens only allow authorized IPs. Medium - Medium
Detect (NIST CSF) be detected Storage.FC4
Storage.FC7
Storage.T1 (Low)
Storage.T2 (Low)
Storage.T3 (Low)
Storage.FC1
[Storage.C85] Storage.T16 (Very Low)
Integrate the access to blob, file shares, queues, tables, Storage.FC2
Storage.T17 (Low)
Corrective (COSO) and DFS via SAS token (generated from account key Check if (Azure) Active Directory is used for assigning Storage.FC3
Medium Storage.T18 (Low) Medium
Protect (NIST CSF) and/or user delegation key) in the IAM Operating permissions. Storage.FC4
Storage.T19 (Low)
Model, ideally prioritizing AD as the preferred method. Storage.FC5
Storage.T27 (Low)
Storage.FC7
Storage.T28 (Low)
Storage.T47 (Low)
Storage.T55 (Low)
[Storage.C4]

Assurance (COSO) Preview control . Verify Storage Accounts with Create a storage account with allowedCopyScope set to
allowedCopyScope set to null, are not configured (e.g. Medium Storage.FC1 - Low
Detect (NIST CSF) null, it should be detected
by using an Azure Policy in audit mode)
Directive (COSO) [Storage.C10, assured by Storage.C11] Request the mechanism used to ensure versioning on Storage.T7 (Low)
Enable versioning on blobs holding primary data Medium Storage.FC2 Low
Protect (NIST CSF) blobs holding primary data, and its records Storage.T40 (Low)
Assurance (COSO) [Storage.C11] Remove versioning from a blob holding primary data, it
Verify blobs holding primary data are versioned High Storage.FC2 - Low
Detect (NIST CSF) should be detected
Directive (COSO) [Storage.C12, assured by Storage.C13] Request the mechanism used to ensure snapshots to Storage.T7 (Low)
Enable snapshots to Azure Files holding primary data Medium Storage.FC2 Low
Protect (NIST CSF) Azure Files on blobs holding primary data and its Storage.T40 (Low)

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 116 / 135
records
[Storage.C13]
Assurance (COSO) Verify Azure Files have snapshots configured as an Remove snapshots from an Azure Files account holding
High Storage.FC2 - Low
Detect (NIST CSF) alternative to the versioning. primary data, it should be detected
[Storage.C77]
Directive (COSO) Maintain a list of authorized Azure Storage redundancy Request the list of authorized Azure Storage
Low Storage.FC1 Storage.T14 (Very Low) Low
Identify (NIST CSF) options. redundancy, its review process, and its review records.
[Storage.C79, depends on Storage.C77]

Preventative (COSO) Ensure only authorized Azure Storage redundancy is Create a blob with unauthorized Azure Storage Very
set for authorized Storage Accounts (e.g., using Azure Storage.FC1 Storage.T14 (Very Low) Low
Protect (NIST CSF) redundancy for Azure Storage, it should be denied. Low
Policy in deny mode).
Storage.T7 (Very Low)
Request 1) the mechanism ensuring Storage Accounts
[Storage.C40, assured by Storage.C42] Storage.T9 (Very Low)
Directive (COSO) Ensure Storage Accounts have soft-delete for the have soft-delete for the container enabled, 2) its Storage.FC2
Medium Storage.T12 (Very Low) Low
Protect (NIST CSF) container enabled records of execution for all new Storage Accounts, and Storage.FC6
Storage.T25 (Low)
3) plan to move any older Storage Accounts
Storage.T39 (Very Low)
[Storage.C42]
Assurance (COSO) Verify Storage Accounts without soft-delete for the Create a storage account without soft-delete for the Storage.FC2
Low - Low
Detect (NIST CSF) container are not configured. container option, it should be detected. Storage.FC6

[Storage.C91, depends on Storage.C89] Storage.T18 (Medium)

Preventative (COSO) Prevent the creation of file shares without soft-delete Create a file share without soft-delete, it should be
High Storage.FC3 Storage.T19 (Very Low) Low
Protect (NIST CSF) (e.g., by using an Azure Policy in deny mode). denied
Storage.T20 (Very Low)
[Storage.C22] Storage.T6 (Very Low)
Directive (COSO) Maintain a list of authorized Storage Accounts with the Request the list of authorized {resources}, its review
Medium Storage.FC2 Storage.T7 (Very Low) Low
Identify (NIST CSF) hierarchical namespace (DFS) option enabled. process, and its review records
Storage.T40 (Very Low)
Request 1) the mechanism ensuring only authorized
Storage Accounts with hierarchical namespace (DFS)
[Storage.C23, depends on Storage.C22, assured by Storage.C24]
Ensure only authorized Storage Accounts with the option enabled are configured, 2) its records of Storage.T6 (Low)
Directive (COSO)
hierarchical namespace (DFS) option enabled are execution for all new Storage Accounts with Medium Storage.FC2 Storage.T7 (Low) Low
Protect (NIST CSF)
configured hierarchical namespace (DFS) option enabled and 3) Storage.T40 (Low)
plan to move any older Storage Accounts with the
hierarchical namespace (DFS) option enabled.
[Storage.C24]
Verify Storage Accounts with the hierarchical
Assurance (COSO) namespace (DFS) option enabled are not configured Create a storage account with the hierarchical
Medium Storage.FC2 - Low
Detect (NIST CSF) (e.g., by using an Azure Policy {"isHnsEnabled": "true"} namespace (DFS) option enabled, it should be detected
in audit mode)
[Storage.C71]

Assurance (COSO) Verify only authorized keys for Azure Storage Configure a storage account with an unauthorized
encryption with desired assignment and rotation policy High Storage.FC1 - Low
Detect (NIST CSF) encryption setting, it should be detected.
are in use (e.g., using Azure Policy on audit mode).
Request the list of authorized NFS/SMB 2.1 Azure Files
Directive (COSO) [Storage.C104]
Maintain a list of authorized NFS/SMB 2.1 Azure Files. with NFS/SMB 2.1 settings, its review process, and its Low Storage.FC3 Storage.T21 (Very Low) Low
Identify (NIST CSF)
review records.

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 117 / 135
Request 1) the mechanism ensuring only authorized
[Storage.C105, depends on Storage.C104, assured by Storage.C108]
Directive (COSO) Ensure only authorized Azure Files NFS/SMB 2.1 have NFS/SMB 2.1 Azure Files have encryption disabled, 2)
High Storage.FC3 Storage.T21 (Low) Low
Protect (NIST CSF) encryption disabled. its records of execution for all new NFS/SMB 2.1 Azure
Files, and 3) a plan to move any older Storage Accounts
[Storage.C106, depends on Storage.C104]

Preventative (COSO) Prevent unauthorized Azure Files NFS/SMB 2.1 from Create a storage account with encryption disabled, it
having encryption disabled (e.g., using Azure Policy in High Storage.FC3 Storage.T21 (Low) Low
Protect (NIST CSF) should be denied.
deny mode).
[Storage.C107]
Monitor the creation/update of Azure Files NFS/SMB
Detective (COSO) 2.1 and corresponding settings (e.g., using activity logs Create a storage account with encryption disabled, it
High Storage.FC3 Storage.T21 (Low) Low
Detect (NIST CSF) on properties.supportsHttpsTrafficOnly scope should be detected.
"supportsHttpsTrafficOnly").
[Storage.C108]

Assurance (COSO) Verify only authorized Azure Files NFS/SMB 2.1 and Create a storage account with encryption disabled, it
corresponding settings are configured (e.g., using High Storage.FC3 - Low
Detect (NIST CSF) should be detected.
Azure Policy on audit mode).
[Storage.C129]
Maintain a list of authorized Azure Files security Request the list of authorized Azure Files security
Directive (COSO)
protocol settings (ideally maximum security SMB 3.1.1, protocol settings, its review process, and its review Low Storage.FC3 Storage.T21 (Very Low) Low
Identify (NIST CSF)
Kerberos, AES-256 only). records.

Request 1) the mechanism ensuring only Azure Files

Detective (COSO) Monitor file shares quotas and trends using Azure Create a file with an unauthorized or default quota, it Very
Monitor with alarm (, e.g., Azure file share size is 80% of should be detected. Storage.FC3 Storage.T16 (Medium) Low
Protect (NIST CSF) Low
capacity)
[Storage.C67, depends on Storage.C66, assured by Storage.C71]
Directive (COSO) Request 1) the mechanism ensuring only authorized High Storage.FC1 Storage.T14 (Medium) Low
Protect (NIST CSF) Ensure authorized keys for Azure Storage encryption keys for Azure Storage encryption with desired
with desired assignment and rotation policy are set for assignment and rotation policy are in use, 2) its records

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 118 / 135
of execution for all new Storage Accounts, and 3) the
authorized Storage Accounts.
plan to move any older Storage Accounts
[Storage.C68]
Directive (COSO) Protect Key Vault store custom encryption keys using Check settings for Key Vault. High Storage.FC1 Storage.T38 (Medium) Low
Protect (NIST CSF) Key Vault ThreatModel.
[Storage.C134] Request 1) the list of blobs created before October 20,
Directive (COSO) Maintain a list of blobs created before October 20, Storage.FC1 Storage.T46 (Very Low)
20017, 2) its records of execution for rewriting, and 3) Low Low
Identify (NIST CSF) 2017 (ideally none). Storage.FC2 Storage.T49 (Very Low)
the plan to rewriting.
Request 1) the mechanism ensuring only Azure Storage
[Storage.C82, depends on Storage.C81, assured by Storage.C84] Storage.FC1 Storage.T13 (Very Low)
Directive (COSO) Ensure the authorized Azure Storage region is set for authorized regions for Storage Accounts are in use, 2)
High Storage.FC2 Storage.T14 (Very Low) Low
Protect (NIST CSF) authorized Storage Accounts. its records of execution for all new Storage Accounts,
Storage.FC9 Storage.T49 (Very Low)
and 3) plan to move any older Storage Accounts
[Storage.C84]
Verify only the authorized Azure Storage region is set Storage.FC1
Assurance (COSO) Create a storage account with an unauthorized Azure
for authorized Storage Accounts (e.g., using Azure High Storage.FC2 - Low
Detect (NIST CSF) Storage region, it should be detected.
Policy on audit mode). Storage.FC9
[Storage.C121]

Directive (COSO) Integrate the access to SSH in the IAM Operating

Model, including monitoring of creating local SSH Request the IAM Operating Model for SSH access. Low Storage.FC11 Storage.T44 (Very Low) Low
Protect (NIST CSF)
users.
[Storage.C122]
Directive (COSO) Use SSH private key credentials for authentication as Check the usage of local passwords in SFTP-enabled
Medium Storage.FC11 Storage.T44 (Very Low) Low
Protect (NIST CSF) the preferred authentication method. accounts.

[Storage.C109, assured by Storage.C111] Storage.T3 (Very Low)

Ensure Storage Accounts have Azure Defender for Request 1) the mechanism ensuring Storage Accounts
Storage.FC2 Storage.T5 (Very Low)
Directive (COSO) Storage account enabled" with "Ensure Storage have Azure Defender for storage account enabled, 2)
High Storage.FC3 Storage.T20 (Very Low) Low
Protect (NIST CSF) Accounts have Azure Defender for storage account its records of execution for all new Storage Accounts,
Storage.FC7 Storage.T37 (Very Low)
enabled and 3) plan to move any older Storage Accounts
Storage.T55 (Very Low)
[Storage.C110]
Prevent the creation of Storage Accounts without Azure Storage.T3 (Very Low)
Defender for storage account option (e.g., by using an Storage.FC2 Storage.T5 (Low)
Preventative (COSO) Create a storage account without Azure Defender for
Azure Policy High Storage.FC3 Storage.T20 (Medium) Low
Protect (NIST CSF) storage account, it should be denied
"Microsoft.storage/storageaccounts/deleteRetentionPo Storage.FC7 Storage.T37 (Very Low)
licy" in deny mode). Storage.T55 (Very Low)

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 119 / 135
non-preview version of storage software libraries must
be used for Storage Accounts. Running on older
Protect (NIST CSF) versions could mean you are not using the latest Accounts. High Storage.FC3 Storage.T45 (Medium)
security classes. Usage of such old classes and types
can make your application vulnerable.
Request 1) the mechanism ensuring only Azure Storage
[Storage.C123, depends on Storage.C120, assured by Storage.C125] SFTP options with encryption settings, authentication
Directive (COSO) Ensure authorized Azure Storage SFTP options with methods, and permission model for Storage Accounts
authentication methods and permission models are set are in use, 2) its records of execution for all new High Storage.FC11 Storage.T44 (Very Low) Low
Protect (NIST CSF)
for authorized Storage Accounts. Storage Accounts, and 3) the plan to move any older
Storage Accounts.
[Storage.C125]
Verify only authorized Azure Storage SFTP options with Configure a storage account with unauthorized SFTP
Assurance (COSO) authentication methodsand permission models are set options, encryption settings, authentication methods, High Storage.FC11 - Low
Detect (NIST CSF) for authorized Storage Accounts (e.g., using Azure and permission models, it should be detected.
Policy on audit mode).
[Storage.C93]
Maintain a revocation plan for any SAS or storage
account access keys issued to clients based on
requirements. If a SAS is compromised, you must Storage.T1 (Very Low)
revoke that SAS as soon as possible. To revoke a user Storage.FC1 Storage.T2 (Very Low)
delegation SAS, revoke the user delegation key to Request the authorized revocation plan for any SAS or
Directive (COSO) Storage.FC2 Storage.T3 (Very Low)
invalidate all signatures associated with that key. To storage account access keys, its review process, and its Low Low
Identify (NIST CSF) Storage.FC3 Storage.T16 (Very Low)
revoke a service SAS that is associated with a stored review records.
Storage.FC7 Storage.T47 (Very Low)
access policy, you can delete the stored access policy, Storage.T55 (Very Low)
rename the policy, or change its expiry time to a time
that is in the past (ref). To revoke a storage account
access key, regenerate the key.
Storage.T1 (Very Low)
Request 1) the mechanism ensuring revocation plan in
Storage.FC1 Storage.T2 (Very Low)
[Storage.C94, depends on Storage.C93, assured by Storage.C95] place for any SAS or storage account access keys is in
Directive (COSO) Ensure the revocation plan is in place for any SAS or Storage.FC2 Storage.T3 (Very Low)
use, 2) its records of testing for all new Storage High Low
Protect (NIST CSF) storage account access key. Storage.FC3 Storage.T16 (Very Low)
Accounts, and 3) plan to move any older Storage
Storage.FC7 Storage.T47 (Very Low)
Accounts
Storage.T55 (Very Low)
Storage.FC1
[Storage.C95]
Assurance (COSO) Verify the revocation plan is in place for any SAS or Check test executions. For any unsuccessful attempts, Storage.FC2
High - Low
Detect (NIST CSF) storage account access key. it should be detected Storage.FC3
Storage.FC7
Request 1) the mechanism ensuring only Azure Storage
[Storage.C78, depends on Storage.C77, assured by Storage.C80]
Directive (COSO) Ensure authorized Azure Storage redundancy is set for redundancy for Storage Accounts are in use, 2) its
High Storage.FC1 Storage.T14 (Very Low) Very Low
Protect (NIST CSF) authorized Storage Accounts. records of execution for all new Storage Accounts, and
3) plan to move any older Storage Accounts
Assurance (COSO) [Storage.C80] Configure a storage account with an unauthorized
Verify only authorized Azure Storage redundancy is set High Storage.FC1 - Very Low
Detect (NIST CSF) redundancy setting, it should be detected.

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 120 / 135
for authorized Storage Accounts (e.g., using Azure
Policy on audit mode).
Request 1) the mechanism ensuring Storage Accounts
[Storage.C16, depends on Storage.C15, assured by Storage.C18] have soft-delete for the blob enabled for at least the Storage.T7 (Very Low)
Directive (COSO) Ensure Storage Accounts have soft-delete for the blob defined minimum retention, 2) its records of execution Low Storage.FC2 Storage.T9 (Very Low) Very Low
Protect (NIST CSF) enabled for at least the defined minimum retention for all new Storage Accounts, and 3) plan to move any Storage.T12 (Very Low)
older Storage Accounts
[Storage.C18]
Assurance (COSO) Verify all Storage Accounts have soft-delete for the blob Create a storage account without soft-delete for the Low Storage.FC2 - Very Low
Detect (NIST CSF) enabled (e.g., by using an Azure Policy in audit mode). blob option, it should be detected.

Request 1) the mechanism ensuring Storage Accounts Storage.T7 (Very Low)

[Storage.C19, depends on Storage.C15, assured by Storage.C21]
Directive (COSO) Ensure Storage Accounts have soft-delete for the have soft-delete for the container enabled, 2) its Storage.T9 (Very Low)
Medium Storage.FC2 Very Low
Protect (NIST CSF) container enabled records of execution for all new Storage Accounts, and Storage.T12 (Very Low)
3) plan to move any older Storage Accounts. Storage.T39 (Very Low)
[Storage.C21]
Assurance (COSO) Verify Storage Accounts without soft-delete for the Create a storage account without soft-delete for the
Low Storage.FC2 - Very Low
Detect (NIST CSF) container are not configured. container option, it should be detected.

[Storage.C100] Request the list of authorized Storage Accounts with

Directive (COSO) Maintain a list of authorized CORS per endpoint trusted CORS trusted origins and corresponding settings, its Low Storage.FC1 Storage.T26 (Very Low) Very Low
Identify (NIST CSF) origins and corresponding settings. review process, and its review records.
Request 1) the mechanism ensuring only authorized
[Storage.C101, depends on Storage.C100, assured by Storage.C103] Storage Accounts have CORS trusted origins and
Directive (COSO) Ensure only authorized Storage Accounts have CORS corresponding settings configured, 2) its records of High Storage.FC1 Storage.T26 (Low) Very Low
Protect (NIST CSF) trusted origins and corresponding settings configured. execution for all new Storage Accounts, and 3) plan to
move any older Storage Accounts
[Storage.C102, depends on Storage.C100]

Preventative (COSO) Prevent unauthorized Storage Accounts from using Create a storage account with untrusted CORS settings,
CORS trusted origins and corresponding settings (e.g., High Storage.FC1 Storage.T26 (Very Low) Very Low
Protect (NIST CSF) it should be denied.
using Azure Policy in deny mode).
[Storage.C103]

Assurance (COSO) Verify only authorized CORS trusted origins and Create a storage account with untrusted CORS settings,
corresponding settings are configured (e.g., using High Storage.FC1 - Very Low
Detect (NIST CSF) it should be detected.
Azure Policy on audit mode).

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 121 / 135
Appendix 2 - List of all Actions and their details
Feature
Id Description IAM Permission Event API
Class ID
Registers the subscription for the storage resource provider and enables the creation of
Storage.A1 Storage.FC1 Microsoft.Storage/register/action TODO OperationsList
Storage Accounts.
Microsoft.Storage/locations/ NotifiesAzureStorageThatVirtual
Storage.A2 Notifies Azure Storage that virtual network or subnet is being deleted Storage.FC1 deleteVirtualNetworkOrSubnets/ TODO NetworkOrSubnetIsBeingDelete
action d
Microsoft.Storage/
Storage.A3 List blob services Storage.FC2 storageAccounts/blobServices/ TODO Listblobs
read
Microsoft.Storage/
storageAccounts/blobServices/ ReturnsAUserDelegationKeyForT
Storage.A4 Returns a user delegation key for the blob service Storage.FC7 TODO
generateUserDelegationKey/ heblobService
action
Microsoft.Storage/
Storage.A5 Returns the result of put blob service properties Storage.FC2 storageAccounts/blobServices/ TODO GetblobProperties
write
Microsoft.Storage/
Storage.A6 Returns blob service properties or statistics Storage.FC2 storageAccounts/blobServices/ TODO SetblobServiceProperties
read
Microsoft.Storage/
Storage.A7 Returns a blob or a list of blobs Storage.FC2 storageAccounts/blobServices/ TODO Listblobs
containers/blobs/read
Microsoft.Storage/
Storage.A8 Returns the result of writing a blob Storage.FC2 storageAccounts/blobServices/ TODO ReturnsTheResultOfWritingAblob
containers/blobs/write
Microsoft.Storage/
ReturnsTheResultOfDeletingAblo
Storage.A9 Returns the result of deleting a blob Storage.FC2 storageAccounts/blobServices/ TODO
b
containers/blobs/delete
Microsoft.Storage/
storageAccounts/blobServices/
Storage.A10 Returns the result of deleting a blob version Storage.FC2 TODO DeleteblobVersions
containers/blobs/
deleteblobVersion/action
Microsoft.Storage/
storageAccounts/blobServices/ DataactionForDeletingAVersionO
Storage.A11 Delete a version of a blob. Storage.FC2 TODO
containers/blobs/ fAblob
permanentDelete/action
Storage.A12 Returns the result of adding blob content Storage.FC2 Microsoft.Storage/ TODO AddblobContent

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 122 / 135
storageAccounts/blobServices/
containers/blobs/add/action
Microsoft.Storage/
ReturnsTheListOfblobsUnderAn
Storage.A13 Returns the list of blobs under an account with matching tags filter Storage.FC2 storageAccounts/blobServices/ TODO
AccountWithMatchingTagsFilter
containers/blobs/filter/action
Microsoft.Storage/
Storage.A14 Moves the blob from one path to another Storage.FC2 storageAccounts/blobServices/ TODO Moveblobs
containers/blobs/move/action
Microsoft.Storage/
storageAccounts/blobServices/
Storage.A15 Changes ownership of the blob Storage.FC2 TODO ManageblobOwnership
containers/blobs/
manageOwnership/action
Microsoft.Storage/
storageAccounts/blobServices/
Storage.A16 Modifies permissions of the blob Storage.FC2 TODO ModifyblobPermissions
containers/blobs/
modifyPermissions/action
Microsoft.Storage/
storageAccounts/blobServices/ ReturnsTheResultOfTheblobCom
Storage.A17 Returns the result of the blob command Storage.FC2 TODO
containers/blobs/ mand
runAsSuperUser/action
Microsoft.Storage/
Storage.A18 Migrate Storage.FC1 storageAccounts/blobServices/ TODO Migrate
containers/migrate/action
Microsoft.Storage/
Storage.A19 Returns the result of patch blob container Storage.FC2 storageAccounts/blobServices/ TODO PathblobContainer
containers/write
Microsoft.Storage/
Storage.A20 Returns the result of deleting a container Storage.FC2 storageAccounts/blobServices/ TODO DeleteblobContainer
containers/delete
Microsoft.Storage/
Storage.A21 Returns a container Storage.FC2 storageAccounts/blobServices/ TODO GetblobContainer
containers/read
Microsoft.Storage/
Storage.A22 Returns list of containers Storage.FC2 storageAccounts/blobServices/ TODO ReturnsListOfContainers
containers/read
Microsoft.Storage/
ReturnsTheResultOfLeasingblob
Storage.A23 Returns the result of leasing blob container Storage.FC2 storageAccounts/blobServices/ TODO
Container
containers/lease/action
Microsoft.Storage/
ReturnsTheResultOfPutblobCont
Storage.A24 Returns the result of put blob container Storage.FC2 storageAccounts/blobServices/ TODO
ainer
containers/write

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 123 / 135
Microsoft.Storage/
Storage.A25 Clear blob container legal hold Storage.FC2 storageAccounts/blobServices/ TODO ClearblobContainerLegalHold
containers/clearLegalHold/action
Microsoft.Storage/
Storage.A26 Set blob container legal hold Storage.FC2 storageAccounts/blobServices/ TODO SetblobContainerLegalHold
containers/setLegalHold/action
Microsoft.Storage/
storageAccounts/blobServices/
ExtendblobContainerImmutabilit
Storage.A27 Extend blob container immutability policy Storage.FC2 containers/ TODO
yPolicy
immutabilityPolicies/extend/
action
Microsoft.Storage/
storageAccounts/blobServices/ DeleteblobContainerImmutabilit
Storage.A28 Delete blob container immutability policy Storage.FC2 TODO
containers/ yPolicy
immutabilityPolicies/delete
Microsoft.Storage/
storageAccounts/blobServices/ PutblobContainerImmutabilityPo
Storage.A29 Put blob container immutability policy Storage.FC2 TODO
containers/ licy
immutabilityPolicies/write
Microsoft.Storage/
storageAccounts/blobServices/ LockblobContainerImmutabilityP
Storage.A30 Lock blob container immutability policy Storage.FC2 TODO
containers/immutabilityPolicies/ olicy
lock/action
Microsoft.Storage/
storageAccounts/blobServices/ GetblobContainerImmutabilityPo
Storage.A31 Get blob container immutability policy Storage.FC2 TODO
containers/immutabilityPolicies/ licy
read
Microsoft.Storage/
Storage.A32 Get queue service properties Storage.FC4 storageAccounts/ TODO GetqueueServiceProperties
queueServices/read
Microsoft.Storage/
ReturnsqueueServiceProperties
Storage.A33 Returns queue service properties or statistics. Storage.FC4 storageAccounts/ TODO
OrStatistics.
queueServices/read
Microsoft.Storage/
ReturnsTheResultOfSettingqueu
Storage.A34 Returns the result of setting queue service properties Storage.FC4 storageAccounts/ TODO
eServiceProperties
queueServices/write
Microsoft.Storage/
Storage.A35 Create a queue Storage.FC4 storageAccounts/ TODO CreateAqueue
queueServices/queues/write
Microsoft.Storage/
ReturnsAqueueOrAListOfqueues
Storage.A36 Returns a queue or a list of queues. Storage.FC4 storageAccounts/ TODO
.
queueServices/queues/read

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 124 / 135
Microsoft.Storage/
ReturnsTheResultOfWritingAque
Storage.A37 Returns the result of writing a queue Storage.FC4 storageAccounts/ TODO
ue
queueServices/queues/write
Microsoft.Storage/
ReturnsTheResultOfDeletingAqu
Storage.A38 Returns the result of deleting a queue Storage.FC4 storageAccounts/ TODO
eue
queueServices/queues/delete
Microsoft.Storage/
storageAccounts/
Storage.A39 Returns a message Storage.FC4 TODO ReturnsAMessage
queueServices/queues/
messages/read
Microsoft.Storage/
storageAccounts/ ReturnsTheResultOfWritingAMes
Storage.A40 Returns the result of writing a message Storage.FC4 TODO
queueServices/queues/ sage
messages/write
Microsoft.Storage/
storageAccounts/ ReturnsTheResultOfDeletingAMe
Storage.A41 Returns the result of deleting a message Storage.FC4 TODO
queueServices/queues/ ssage
messages/delete
Microsoft.Storage/
storageAccounts/ ReturnsTheResultOfAddingAMes
Storage.A42 Returns the result of adding a message Storage.FC4 TODO
queueServices/queues/ sage
messages/add/action
Microsoft.Storage/
storageAccounts/ ReturnsTheResultOfProcessingA
Storage.A43 Returns the result of processing a message Storage.FC4 TODO
queueServices/queues/ Message
messages/process/action
Microsoft.Storage/
Storage.A44 Update internal properties Storage.FC1 storageAccounts/ TODO UpdateInternalProperties
updateInternalProperties/action
Microsoft.Storage/ CustomerIsAbleToAbortAnOngoi
Customer is able to abort an ongoing hierarchical namespace migration on the storage
Storage.A45 Storage.FC1 storageAccounts/ TODO ngHierarchicalNamespaceMigrat
account
hnsonmigration/action ionOnTheStorageAccount
Microsoft.Storage/
CustomerIsAbleToMigrateToHier
Storage.A46 Customer is able to migrate to hierarchical namespace account type Storage.FC1 storageAccounts/ TODO
archicalNamespaceAccountType
hnsonmigration/action
Microsoft.Storage/
RestoreblobRangesToTheStateOf
Storage.A47 Restore blob ranges to the state of the specified time Storage.FC2 storageAccounts/ TODO
TheSpecifiedTime
restoreblobRanges/action
Microsoft.Storage/
storageAccounts/ ApprovePrivateEndpointConnect
Storage.A48 Approve private endpoint Connections Storage.FC1 TODO
PrivateEndpointConnectionsApp ions
roval/action

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 125 / 135
Microsoft.Storage/ CustomerIsAbleToControlTheFail
Storage.A49 Customer is able to control the failover in case of availability issues Storage.FC1 TODO
storageAccounts/failover/action overInCaseOfAvailabilityIssues
Microsoft.Storage/ ReturnsTheAccessKeysForTheSp
Storage.A50 Returns the access keys for the specified storage account. Storage.FC7 TODO
storageAccounts/listkeys/action ecifiedStorageAccount.
Microsoft.Storage/
RegeneratesTheAccessKeysForT
Storage.A51 Regenerates the access keys for the specified storage account. Storage.FC7 storageAccounts/ TODO
heSpecifiedStorageAccount.
regeneratekey/action
Microsoft.Storage/
Storage.A52 Rotate key Storage.FC7 storageAccounts/rotateKey/ TODO RotateKey
action
Microsoft.Storage/
RevokesAllTheUserDelegationKe
storageAccounts/
Storage.A53 Revokes all the user delegation keys for the specified storage account. Storage.FC7 TODO ysForTheSpecifiedStorageAccoun
revokeUserDelegationKeys/
t.
action
Microsoft.Storage/ DeletesAnExistingStorageAccoun
Storage.A54 Deletes an existing storage account. Storage.FC1 TODO
storageAccounts/delete t.
ReturnsTheListOfStorageAccount
Returns the list of Storage Accounts or gets the properties for the specified storage Microsoft.Storage/
Storage.A55 Storage.FC1 TODO sOrGetsThePropertiesForTheSpe
account. storageAccounts/read
cifiedStorageAccount.
Microsoft.Storage/
ReturnsTheAccountSASTokenFor
Storage.A56 Returns the account SAS token for the specified storage account. Storage.FC1 storageAccounts/ TODO
TheSpecifiedStorageAccount.
listAccountSas/action
Microsoft.Storage/
ReturnsTheServiceSASTokenForT
Storage.A57 Returns the service SAS token for the specified storage account. Storage.FC1 storageAccounts/listServiceSas/ TODO
heSpecifiedStorageAccount.
action
CreatesAStorageAccountWithThe
SpecifiedParametersOrUpdateTh
Creates a storage account with the specified parameters, updates the properties or tags, or Microsoft.Storage/
Storage.A58 Storage.FC1 TODO ePropertiesOrTagsOrAddsCusto
adds a custom domain for the specified storage account. storageAccounts/write
mDomainForTheSpecifiedStorag
eAccount.
Microsoft.Storage/ Create/
Storage.A59 Create/update storage account diagnostic settings. Storage.FC1 storageAccounts/services/ TODO UpdateStorageAccountDiagnosti
diagnosticsettings/write cSettings.
Microsoft.Storage/
storageAccounts/providers/ GetListOfAzureStorageMetricsDe
Storage.A60 Get list of Azure Storage metrics definitions. Storage.FC8 TODO
Microsoft.Insights/ finitions.
metricDefinitions/read
Microsoft.Storage/
storageAccounts/providers/ GetsTheDiagnosticSettingForThe
Storage.A61 Gets the diagnostic setting for the resource. Storage.FC8 TODO
Microsoft.Insights/ Resource.
diagnosticsettings/read

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 126 / 135
Microsoft.Storage/
storageAccounts/providers/ CreatesOrUpdatesTheDiagnostic
Storage.A62 Creates or updates the diagnostic setting for the resource. Storage.FC8 TODO
Microsoft.Insights/ SettingForTheResource.
diagnosticsettings/write
Microsoft.Storage/
storageAccounts/blobServices/ GetListOfAzureStorageMetricsDe
Storage.A63 Get list of Azure Storage metrics definitions. Storage.FC8 TODO
providers/Microsoft.Insights/ finitions.
metricDefinitions/read
Microsoft.Storage/
storageAccounts/blobServices/ GetsTheDiagnosticSettingForThe
Storage.A64 Gets the diagnostic setting for the resource. Storage.FC8 TODO
providers/Microsoft.Insights/ Resource.
diagnosticsettings/read
Microsoft.Storage/
storageAccounts/blobServices/ CreatesOrUpdatesTheDiagnostic
Storage.A65 Creates or updates the diagnostic setting for the resource. Storage.FC8 TODO
providers/Microsoft.Insights/ SettingForTheResource.
diagnosticsettings/write
Microsoft.Storage/
storageAccounts/tableServices/ GetListOfAzureStorageMetricsDe
Storage.A66 Get list of Azure Storage metrics definitions. Storage.FC8 TODO
providers/Microsoft.Insights/ finitions.
metricDefinitions/read
Microsoft.Storage/
storageAccounts/tableServices/ GetsTheDiagnosticSettingForThe
Storage.A67 Gets the diagnostic setting for the resource. Storage.FC8 TODO
providers/Microsoft.Insights/ Resource.
diagnosticsettings/read
Microsoft.Storage/
storageAccounts/tableServices/ CreatesOrUpdatesTheDiagnostic
Storage.A68 Creates or updates the diagnostic setting for the resource. Storage.FC8 TODO
providers/Microsoft.Insights/ SettingForTheResource.
diagnosticsettings/write
Microsoft.Storage/
storageAccounts/fileServices/ GetListOfAzureStorageMetricsDe
Storage.A69 Get list of Azure Storage metrics definitions. Storage.FC8 TODO
providers/Microsoft.Insights/ finitions.
metricDefinitions/read
Microsoft.Storage/
storageAccounts/fileServices/ GetsTheDiagnosticSettingForThe
Storage.A70 Gets the diagnostic setting for the resource. Storage.FC8 TODO
providers/Microsoft.Insights/ Resource.
diagnosticsettings/read
Microsoft.Storage/
storageAccounts/fileServices/ CreatesOrUpdatesTheDiagnostic
Storage.A71 Creates or updates the diagnostic setting for the resource. Storage.FC8 TODO
providers/Microsoft.Insights/ SettingForTheResource.
diagnosticsettings/write
Storage.A72 Get list of Azure Storage metrics definitions. Storage.FC8 Microsoft.Storage/ TODO GetListOfAzureStorageMetricsDe
storageAccounts/ finitions.

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 127 / 135
queueServices/providers/
Microsoft.Insights/
metricDefinitions/read
Microsoft.Storage/
storageAccounts/
GetsTheDiagnosticSettingForThe
Storage.A73 Gets the diagnostic setting for the resource. Storage.FC8 queueServices/providers/ TODO
Resource.
Microsoft.Insights/
diagnosticsettings/read
Microsoft.Storage/
storageAccounts/
CreatesOrUpdatesTheDiagnostic
Storage.A74 Creates or updates the diagnostic setting for the resource. Storage.FC8 queueServices/providers/ TODO
SettingForTheResource.
Microsoft.Insights/
diagnosticsettings/write
Microsoft.Storage/
storageAccounts/tableServices/
Storage.A75 Gets the log definition for table Storage.FC8 TODO GetsTheLogDefinitionForTable
providers/Microsoft.Insights/
logDefinitions/read
Microsoft.Storage/
storageAccounts/blobServices/
Storage.A76 Gets the log definition for blob Storage.FC8 TODO GetsTheLogDefinitionForblob
providers/Microsoft.Insights/
logDefinitions/read
Microsoft.Storage/
storageAccounts/fileServices/
Storage.A77 Gets the log definition for file Storage.FC8 TODO GetsTheLogDefinitionForFile
providers/Microsoft.Insights/
logDefinitions/read
Microsoft.Storage/
storageAccounts/
Storage.A78 Gets the log definition for queue Storage.FC8 queueServices/providers/ TODO GetsTheLogDefinitionForqueue
Microsoft.Insights/
logDefinitions/read
ListsTheSkusSupportedByAzureS
Storage.A79 Lists the SKUs supported by Azure Storage Storage.FC1 Microsoft.Storage/skus/read TODO
torage
Microsoft.Storage/operations/ PollsTheStatusOfAnAsynchronou
Storage.A80 Polls the status of an asynchronous operation Storage.FC1 TODO
read sOperation
Microsoft.Storage/ ChecksThatAccountNameIsValid
Storage.A81 Checks that account name is valid and is not in use. Storage.FC1 TODO
checknameavailability/read AndIsNotInUse.
ReturnsTheLimitAndTheCurrent
Microsoft.Storage/locations/
Storage.A82 Returns the limit and the current usage count for resources in the specified subscription Storage.FC1 TODO UsageCountForResourcesInTheS
usages/read
pecifiedSubscription
ReturnsTheLimitAndTheCurrent
Storage.A83 Returns the limit and the current usage count for resources in the specified subscription Storage.FC1 Microsoft.Storage/usages/read TODO UsageCountForResourcesInTheS
pecifiedSubscription

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 128 / 135
Microsoft.Storage/
ReturnsTheResultOfReadingblob
Storage.A84 Returns the result of reading blob tags Storage.FC2 storageAccounts/blobServices/ TODO
Tags
containers/blobs/tags/read
Microsoft.Storage/
ReturnsTheResultOfWritingblobT
Storage.A85 Returns the result of writing blob tags Storage.FC2 storageAccounts/blobServices/ TODO
ags
containers/blobs/tags/write
Microsoft.Storage/
DeleteStorageAccountManagem
Storage.A86 Delete storage account management policies Storage.FC1 storageAccounts/ TODO
entPolicies
managementPolicies/delete
Microsoft.Storage/
GetStorageManagementAccount
Storage.A87 Get storage management account policies Storage.FC1 storageAccounts/ TODO
Policies
managementPolicies/read
Microsoft.Storage/
PutStorageAccountManagement
Storage.A88 Put storage account management policies Storage.FC6 storageAccounts/ TODO
Policies
managementPolicies/write
Microsoft.Storage/
Storage.A89 Restore file share Storage.FC3 storageAccounts/fileServices/ TODO RestoreFileShare
shares/action
Microsoft.Storage/
Storage.A90 List file services Storage.FC3 storageAccounts/fileServices/ TODO ListFileServices
read
Microsoft.Storage/
Storage.A91 Put file service properties Storage.FC3 storageAccounts/fileServices/ TODO PutFileServiceProperties
write
Microsoft.Storage/
Storage.A92 Get file service properties Storage.FC3 storageAccounts/fileServices/ TODO GetFileServiceProperties
read
Microsoft.Storage/
Storage.A93 Get table service properties Storage.FC5 storageAccounts/tableServices/ TODO GetTableServiceProperties
read
Microsoft.Storage/
GetTableServicePropertiesOrStat
Storage.A94 Get table service properties or statistics Storage.FC5 storageAccounts/tableServices/ TODO
istics
read
Microsoft.Storage/
Storage.A95 Set table service properties Storage.FC5 storageAccounts/tableServices/ TODO SetTableServiceProperties
write
Microsoft.Storage/
ReturnsAFile/
Storage.A96 Returns a file/folder or a list of files/folders Storage.FC3 storageAccounts/fileServices/ TODO
FolderOrAListOfFiles/Folders
fileshares/files/read
Storage.A97 Returns the result of writing a file or creating a folder Storage.FC3 Microsoft.Storage/ TODO ReturnsTheResultOfWritingAFile
storageAccounts/fileServices/ OrCreatingAFolder

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 129 / 135
fileshares/files/write
Microsoft.Storage/
ReturnsTheResultOfDeletingAFil
Storage.A98 Returns the result of deleting a file/folder Storage.FC3 storageAccounts/fileServices/ TODO
e/Folder
fileshares/files/delete
Microsoft.Storage/
storageAccounts/fileServices/ ReturnsTheResultOfModifyingPe
Storage.A99 Returns the result of modifying permission on a file/folder Storage.FC3 TODO
fileshares/files/ rmissionOnAFile/Folder
modifypermissions/action
Microsoft.Storage/
storageAccounts/fileServices/
Storage.A100 Get file admin privileges Storage.FC3 TODO GetFileAdminPrivileges
fileshares/files/actassuperuser/
action
Microsoft.Storage/
storageAccounts/ GetPrivateEndpointConnectionPr
Storage.A101 Get private endpoint Connection Proxy Storage.FC1 TODO
privateEndpointConnectionProxi oxy
es/read
Microsoft.Storage/
storageAccounts/ DeletePrivateEndpointConnectio
Storage.A102 Delete private endpoint Connection Proxies Storage.FC1 TODO
privateEndpointConnectionProxi nProxies
es/delete
Microsoft.Storage/
storageAccounts/ PutPrivateEndpointConnectionPr
Storage.A103 Put private endpoint Connection Proxies Storage.FC1 TODO
privateEndpointConnectionProxi oxies
es/write
Microsoft.Storage/
storageAccounts/
Storage.A104 List private endpoint Connections Storage.FC1 TODO ListPrivateEndpointConnections
privateEndpointConnections/
read
Microsoft.Storage/
storageAccounts/ DeletePrivateEndpointConnectio
Storage.A105 Delete private endpoint Connection Storage.FC1 TODO
privateEndpointConnections/ n
delete
Microsoft.Storage/
storageAccounts/
Storage.A106 Get private endpoint Connection Storage.FC1 TODO GetPrivateEndpointConnection
privateEndpointConnections/
read
Microsoft.Storage/
storageAccounts/
Storage.A107 Put private endpoint Connection Storage.FC1 TODO PutPrivateEndpointConnection
privateEndpointConnections/
write
Storage.A108 Get StorageAccount groupids Storage.FC1 Microsoft.Storage/ TODO GetStorageaccountGroupids
storageAccounts/

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 130 / 135
privateLinkResources/read
Microsoft.Storage/locations/ ChecksThatAccountNameIsValid
Storage.A109 Checks that account name is valid and is not in use. Storage.FC1 TODO
checknameavailability/read AndIsNotInUse.
Microsoft.Storage/
Storage.A110 Delete file share Storage.FC3 storageAccounts/fileServices/ TODO DeleteFileShare
shares/delete
Microsoft.Storage/
Storage.A111 Get file share Storage.FC3 storageAccounts/fileServices/ TODO GetFileShare
shares/read
Microsoft.Storage/
Storage.A112 List file shares Storage.FC3 storageAccounts/fileServices/ TODO ListFileShares
shares/read
Microsoft.Storage/
Storage.A113 Create or update file share Storage.FC3 storageAccounts/fileServices/ TODO CreateOrUpdateFileShare
shares/write
Microsoft.Storage/
Storage.A114 Encryption Storage.FC9 storageAccounts/ TODO Encryption
encryptionScopes/read
Microsoft.Storage/
Storage.A115 Encryption Storage.FC9 storageAccounts/ TODO Encryption
encryptionScopes/write
Microsoft.Storage/
Storage.A116 Delete object replication policy Storage.FC9 storageAccounts/ TODO DeleteObjectReplicationPolicy
objectReplicationPolicies/delete
Microsoft.Storage/
Storage.A117 Get object replication policy Storage.FC9 storageAccounts/ TODO GetObjectReplicationPolicy
objectReplicationPolicies/read
Microsoft.Storage/
Storage.A118 List object replication policies Storage.FC9 storageAccounts/ TODO ListObjectReplicationPolicies
objectReplicationPolicies/read
Microsoft.Storage/
CreateOrUpdateObjectReplicatio
Storage.A119 Create or update object replication policy Storage.FC9 storageAccounts/ TODO
nPolicy
objectReplicationPolicies/write
Microsoft.Storage/
Storage.A120 Share policy Storage.FC1 storageAccounts/ TODO SharePolicy
dataSharePolicies/delete
Microsoft.Storage/
Storage.A121 Share policy Storage.FC1 storageAccounts/ TODO SharePolicy
dataSharePolicies/read
Storage.A122 Share policy Storage.FC1 Microsoft.Storage/ TODO SharePolicy
storageAccounts/

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 131 / 135
dataSharePolicies/write
Microsoft.Storage/
Storage.A123 Delete local user Storage.FC11 storageAccounts/localUsers/ TODO DeleteLocalUser
delete
Microsoft.Storage/
Storage.A125 List local user keys Storage.FC11 storageAccounts/localusers/ TODO ListLocalUserKeys
listKeys/action
Microsoft.Storage/
Storage.A126 List local users Storage.FC11 TODO ListLocalUsers
storageAccounts/localusers/read
Microsoft.Storage/
Storage.A127 Get local user Storage.FC11 TODO GetLocalUser
storageAccounts/localusers/read
Microsoft.Storage/
Storage.A128 Create or update local user Storage.FC11 storageAccounts/localusers/ TODO CreateOrUpdateLocalUser
write
Microsoft.Storage/
Storage.A129 Query tables Storage.FC5 storageAccounts/tableServices/ TODO QueryTables
tables/read
Microsoft.Storage/
Storage.A130 Create tables Storage.FC5 storageAccounts/tableServices/ TODO CreateTables
tables/write
Microsoft.Storage/
Storage.A131 Delete tables Storage.FC5 storageAccounts/tableServices/ TODO DeleteTables
tables/delete
Microsoft.Storage/
Storage.A132 Policies read Storage.FC10 storageAccounts/ TODO PoliciesRead
inventoryPolicies/delete
Microsoft.Storage/
Storage.A134 Policies write Storage.FC10 storageAccounts/ TODO PoliciesWrite
inventoryPolicies/write
Microsoft.Storage/
Storage.A135 Delete lock Storage.FC1 storageAccounts/accountLocks/ TODO DeleteLock
deleteLock/action
Microsoft.Storage/
Storage.A136 Lock read Storage.FC1 storageAccounts/accountLocks/ TODO LockRead
read
Microsoft.Storage/
Storage.A137 Lock write Storage.FC1 storageAccounts/ TODO LockWrite
accountLocks/write
Microsoft.Storage/
Storage.A138 Lock delete Storage.FC1 storageAccounts/accountLocks/ TODO LockDelete
delete

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 132 / 135
Microsoft.Storage/
Storage.A139 Data share policy read Storage.FC1 storageAccounts/ TODO DataSharePolicyRead
consumerdataSharePolicies/read
Microsoft.Storage/
storageAccounts/
Storage.A140 Data share policy write Storage.FC1 TODO DataSharePolicyWrite
consumerdataSharePolicies/
write
Microsoft.Storage/
Storage.A141 Query table entities Storage.FC5 storageAccounts/tableServices/ TODO QueryTableEntities
tables/entities/read
Microsoft.Storage/ Insert
Storage.A142 Insert, merge, or replace table entities Storage.FC5 storageAccounts/tableServices/ TODO Merge
tables/entities/write OrReplaceTableEntities
Microsoft.Storage/
Storage.A143 Delete table entities Storage.FC5 storageAccounts/tableServices/ TODO DeleteTableEntities
tables/entities/delete
Microsoft.Storage/
Storage.A144 Insert table entities Storage.FC5 storageAccounts/tableServices/ TODO InsertTableEntities
tables/entities/add/action
Microsoft.Storage/
Storage.A145 Merge or update table entities Storage.FC5 storageAccounts/tableServices/ TODO MergeOrUpdateTableEntities
tables/entities/update/action
Microsoft.Storage/
storageAccounts/blobServices/
Storage.A146 Run as Super user Storage.FC2 containers/blobs/ TODO RunAsSuperUser
immutableStorage/
runAsSuperUser/action
Microsoft.Storage/
storageAccounts/
Storage.A147 Point markers Storage.FC1 TODO PointMarkers
objectReplicationPolicies/
restorePointMarkers/write
Microsoft.Storage/
Storage.A148 Restore point delete Storage.FC1 storageAccounts/restorePoints/ TODO RestorePointDelete
delete
Microsoft.Storage/
Storage.A149 Restore point read Storage.FC1 storageAccounts/restorePoints/ TODO RestorePointRead
read
Microsoft.Storage/
Storage.A150 Blob service read Storage.FC1 storageAccounts/restorePoints/ TODO blobServiceRead
read
Storage.A151 Blob service write Storage.FC1 Microsoft.Storage/ TODO blobServiceWrite

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 133 / 135
storageAccounts/
accountMigrations/read
Microsoft.Storage/
Storage.A152 Manage storage account migration to enable hierarchical namespace. Storage.FC1 storageAccounts/ TODO ContainerRead
accountMigrations/write
Microsoft.Storage/
Storage.A153 List filesystems and their properties in given account. Storage.FC2 storageAccounts/blobServices/ TODO Filesystem_List
containers/read
Microsoft.Storage/
Create a filesystem rooted at the specified location. If the filesystem already exists, the
Storage.A154 Storage.FC2 storageAccounts/blobServices/ TODO Filesystem_Create
operation fails. This operation does not support conditional HTTP requests.
containers/write
Microsoft.Storage/
Storage.A155 Set properties for the filesystem. This operation supports conditional HTTP requests. Storage.FC2 storageAccounts/blobServices/ TODO Filesystem_Setproperties
containers/blobs/write
Microsoft.Storage/
Storage.A156 List filesystem paths and their properties. Storage.FC2 storageAccounts/blobServices/ TODO Path_List
containers/blobs/read
Microsoft.Storage/
Get all system and user-defined filesystem properties are specified in the response
Storage.A157 Storage.FC2 storageAccounts/blobServices/ TODO Filesystem_Getproperties
headers.
read
Marks the filesystem for deletion. When a filesystem is deleted, a filesystem with the same
identifier cannot be created for at least 30 seconds. While the filesystem is being deleted,
attempts to create a filesystem with the same identifier will fail with status code 409 Microsoft.Storage/
Storage.A158 (Conflict), with the service returning additional error information indicating that the Storage.FC2 storageAccounts/blobServices/ TODO Filesystem_Delete
filesystem is being deleted. Get all other operations, including operations on any files or containers/delete
directories within the filesystem, will fail with status code 404 while the filesystem is being
deleted. This operation supports conditional HTTP requests.
Create or rename a file or directory. By default, the destination is overwritten and if the Microsoft.Storage/
Storage.A159 destination already exists and has a lease the lease is broken. This operation supports Storage.FC2 storageAccounts/blobServices/ TODO Path_Create
conditional HTTP requests. containers/blobs/write
Uploads data to be appended to a file, flushes (writes) previously uploaded data to a file, Microsoft.Storage/
Storage.A160 sets properties for a file or directory, or sets access control for a file or directory. Data can Storage.FC2 storageAccounts/blobServices/ TODO Path_Update
only be appended to a file. This operation supports conditional HTTP requests. containers/blobs/write
Microsoft.Storage/
Create and manage a lease to restrict write and delete access to the path. This operation
Storage.A161 Storage.FC2 storageAccounts/blobServices/ TODO Path_Lease
supports conditional HTTP requests.
containers/blobs/write
Microsoft.Storage/
Read the contents of a file. For read operations, range requests are supported. This
Storage.A162 Storage.FC2 storageAccounts/blobServices/ TODO Path_Read
operation supports conditional HTTP requests.
containers/blobs/read
Storage.A163 Get properties returns all system and user defined properties for a path. Get status returns Storage.FC2 Microsoft.Storage/ TODO Path_Getproperties
all system defined properties for a path. Get Access Control List returns the Access Control storageAccounts/blobServices/

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 134 / 135
List for a path. This operation supports conditional HTTP requests. containers/blobs/read
Microsoft.Storage/
Storage.A164 Delete the file or directory. This operation supports conditional HTTP requests. Storage.FC2 storageAccounts/blobServices/ TODO Path_Delete
containers/blobs/delete

ThreatModel for Azure Storage, by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Page 135 / 135

Azure Storage PDF
No ratings yet
Azure Storage PDF
1,305 pages
Azure Storage Building Blocks
No ratings yet
Azure Storage Building Blocks
54 pages
AD and Azure AD
No ratings yet
AD and Azure AD
63 pages
Network Assessment Full Detail Report
No ratings yet
Network Assessment Full Detail Report
223 pages
Design Azure Security
100% (1)
Design Azure Security
885 pages
Software As A Solution For Dummies, Oracle Edition
No ratings yet
Software As A Solution For Dummies, Oracle Edition
58 pages
Security Best Practices in Azure Cloud - Viktorija Almazova
100% (1)
Security Best Practices in Azure Cloud - Viktorija Almazova
31 pages
Azure Compute, Networking and Storage Overview
No ratings yet
Azure Compute, Networking and Storage Overview
59 pages
AWS Migrating - and - Modernizing - Enterprise - Workloads
No ratings yet
AWS Migrating - and - Modernizing - Enterprise - Workloads
44 pages
Workshop Azure
100% (1)
Workshop Azure
160 pages
Manage Microsoft Sentinel Analytics Rules Slides
No ratings yet
Manage Microsoft Sentinel Analytics Rules Slides
24 pages
Azure AD Ebook
No ratings yet
Azure AD Ebook
649 pages
AZ-500 Dumps
No ratings yet
AZ-500 Dumps
6 pages
Azure Active Directory
No ratings yet
Azure Active Directory
4 pages
AZ-500 Study Notes
No ratings yet
AZ-500 Study Notes
50 pages
SSO Okta Guide
No ratings yet
SSO Okta Guide
5 pages
Rockwell Automation - DHQ - PowerFlex525, PowerFlex755 Basic HIM, CCW, PI - Lab Manual
100% (2)
Rockwell Automation - DHQ - PowerFlex525, PowerFlex755 Basic HIM, CCW, PI - Lab Manual
136 pages
Operational Best Practices For Azure Kubernetes Service
No ratings yet
Operational Best Practices For Azure Kubernetes Service
74 pages
ALFOplus80HD (MN.00318E)
No ratings yet
ALFOplus80HD (MN.00318E)
120 pages
Az-305 00
0% (1)
Az-305 00
10 pages
ISACA Azure Checklist
0% (2)
ISACA Azure Checklist
30 pages
AZ 500T00A ENU Powerpoint 01
No ratings yet
AZ 500T00A ENU Powerpoint 01
92 pages
0572 AzureSecurityNotes
No ratings yet
0572 AzureSecurityNotes
121 pages
AS - Cost Management in Azure Sentinel - Deck - 24JUN2021
No ratings yet
AS - Cost Management in Azure Sentinel - Deck - 24JUN2021
49 pages
Latest Microsoft AZ-103 Dumps Questions
100% (3)
Latest Microsoft AZ-103 Dumps Questions
28 pages
Azure Cheatsheet
No ratings yet
Azure Cheatsheet
18 pages
Lab6 - Implement Azure Kubernetes Service
No ratings yet
Lab6 - Implement Azure Kubernetes Service
6 pages
SC-900 Official Course Study Guide
No ratings yet
SC-900 Official Course Study Guide
14 pages
Azure IAM
No ratings yet
Azure IAM
3 pages
SCL Configurator User Guide - V1.00
No ratings yet
SCL Configurator User Guide - V1.00
35 pages
When To Use What-Azure Services
No ratings yet
When To Use What-Azure Services
38 pages
AZ-304-Version 4.0
No ratings yet
AZ-304-Version 4.0
164 pages
CyberSecurity Notes
No ratings yet
CyberSecurity Notes
13 pages
AZURE ExpressRoute
No ratings yet
AZURE ExpressRoute
6 pages
Module4 Virtualnetworking
No ratings yet
Module4 Virtualnetworking
33 pages
Monitoring and Alerting For Azure Key Vault
No ratings yet
Monitoring and Alerting For Azure Key Vault
5 pages
Implementing Microsoft Azure Infrastructure Solutions
100% (1)
Implementing Microsoft Azure Infrastructure Solutions
9 pages
What Is Microsoft Azure?: Overview of Azure Services
100% (1)
What Is Microsoft Azure?: Overview of Azure Services
21 pages
Hardening ProCurve Switches White Paper
100% (2)
Hardening ProCurve Switches White Paper
10 pages
Azure Security Benchmark v2.0
No ratings yet
Azure Security Benchmark v2.0
191 pages
Azure Well-Architected Pillars
100% (1)
Azure Well-Architected Pillars
20 pages
Terraform Guide
No ratings yet
Terraform Guide
89 pages
Crash Course in Azure Active Directory
No ratings yet
Crash Course in Azure Active Directory
11 pages
Azure Security and Compliance Blueprint
No ratings yet
Azure Security and Compliance Blueprint
13 pages
Kubernetes On Azure Solution Booklet - Oct 2019
No ratings yet
Kubernetes On Azure Solution Booklet - Oct 2019
76 pages
Azure Virtual Network
No ratings yet
Azure Virtual Network
11 pages
Troubleshooting VoLTE &
0% (1)
Troubleshooting VoLTE &
3 pages
Microsoft (AZURE) AZ-301 Dumps PDF - Best Study Material Ever
No ratings yet
Microsoft (AZURE) AZ-301 Dumps PDF - Best Study Material Ever
8 pages
Microsoft: AZ-303 Exam
No ratings yet
Microsoft: AZ-303 Exam
140 pages
Azure Fundamentals (AZ-900)
No ratings yet
Azure Fundamentals (AZ-900)
56 pages
Microsoft Azure Fundamentals
No ratings yet
Microsoft Azure Fundamentals
39 pages
Configurar o Gns3
No ratings yet
Configurar o Gns3
12 pages
AZ 500 Implement Platform Protection 35 40 V1.0i
No ratings yet
AZ 500 Implement Platform Protection 35 40 V1.0i
127 pages
Microsoft Cloud Storage For Enterprise Architects
No ratings yet
Microsoft Cloud Storage For Enterprise Architects
5 pages
Azure Containers - Gustav Kaleta
No ratings yet
Azure Containers - Gustav Kaleta
44 pages
Kubernates Incident Response Guide
No ratings yet
Kubernates Incident Response Guide
4 pages
Module 4 Review: - Azure Security Center and Resource
No ratings yet
Module 4 Review: - Azure Security Center and Resource
27 pages
Microcontroller Projects & Tutorials - Cadence Allegro PCB Editor and Layout Tips
No ratings yet
Microcontroller Projects & Tutorials - Cadence Allegro PCB Editor and Layout Tips
6 pages
Azure Traffic Manager: 9 August 2021
No ratings yet
Azure Traffic Manager: 9 August 2021
12 pages
Creating Alerts With Dynamic Thresholds in Azure Monitor - Microsoft Docs
No ratings yet
Creating Alerts With Dynamic Thresholds in Azure Monitor - Microsoft Docs
7 pages
Practical - 1: AIM: Study of Basic Linux Network Commands
No ratings yet
Practical - 1: AIM: Study of Basic Linux Network Commands
15 pages
API Security by Joe
No ratings yet
API Security by Joe
23 pages
Azure Landing Zone
No ratings yet
Azure Landing Zone
6 pages
Azure Migration From EOS To Azure A Migration Path
No ratings yet
Azure Migration From EOS To Azure A Migration Path
18 pages
v8.2.3c1 Releasenotes Digest Edition v3.0
No ratings yet
v8.2.3c1 Releasenotes Digest Edition v3.0
64 pages
Computer Networks
No ratings yet
Computer Networks
99 pages
Az 103 PDF
No ratings yet
Az 103 PDF
20 pages
5.3.1.3 Packet Tracer Identify MAC and IP Addresses
No ratings yet
5.3.1.3 Packet Tracer Identify MAC and IP Addresses
3 pages
Azure AD App Proxy
No ratings yet
Azure AD App Proxy
10 pages
MS Azure: Online, Classroom, Corporate Mr. Khaja 45 Days
No ratings yet
MS Azure: Online, Classroom, Corporate Mr. Khaja 45 Days
15 pages
4 TH
No ratings yet
4 TH
12 pages
IBPS PO Solved Paper 2012
No ratings yet
IBPS PO Solved Paper 2012
39 pages
Get Connected and Benefit With TNM: Smart
No ratings yet
Get Connected and Benefit With TNM: Smart
2 pages
Dell Precision Workstation T1650 Owner's Manual: Regulatory Model: D09M Regulatory Type: D09M004
No ratings yet
Dell Precision Workstation T1650 Owner's Manual: Regulatory Model: D09M Regulatory Type: D09M004
55 pages
RF TX User's Manual
No ratings yet
RF TX User's Manual
8 pages
Description:: NW270: Introduction To Routing and Switching
No ratings yet
Description:: NW270: Introduction To Routing and Switching
2 pages
LL Bill
No ratings yet
LL Bill
3 pages
Jdy 30 Bluetooth Module
No ratings yet
Jdy 30 Bluetooth Module
5 pages
Seisodin T130 Datasheet
No ratings yet
Seisodin T130 Datasheet
2 pages
AirLive WL-5470AP Manual
No ratings yet
AirLive WL-5470AP Manual
57 pages
Abbreviation#3
No ratings yet
Abbreviation#3
3 pages
356 en Airtelligence - Provis 2 0
No ratings yet
356 en Airtelligence - Provis 2 0
8 pages
Td2 Quickstart Guide: Device Connection Diagram
No ratings yet
Td2 Quickstart Guide: Device Connection Diagram
1 page
4TH May 2ND Shift Forest Guard Foreter Lsi Answer
No ratings yet
4TH May 2ND Shift Forest Guard Foreter Lsi Answer
3 pages
SuperLoader 3 Datasheet (DS00379A)
No ratings yet
SuperLoader 3 Datasheet (DS00379A)
2 pages
Web Port Diagram
No ratings yet
Web Port Diagram
1 page
My Resume (Prima Aldino)
No ratings yet
My Resume (Prima Aldino)
1 page
AWS in ACTION Part -1: Real-world Solutions for Cloud Professionals
From Everand
AWS in ACTION Part -1: Real-world Solutions for Cloud Professionals
Poonam Devi
No ratings yet
Microsoft AZURE® AZ-104 Administrator Practice Tests
From Everand
Microsoft AZURE® AZ-104 Administrator Practice Tests
iCertify Training
No ratings yet
About Kubernetes and Security Practices - Short Edition: First Edition, #1
From Everand
About Kubernetes and Security Practices - Short Edition: First Edition, #1
Ami Adi
No ratings yet