Ensure that storage accounts are zone or region redundant
Impact:HighCategory:High Availability
APRL GUID:e6c7e1cc-2f47-264d-aa50-1da421314472
Description:
Redundancy ensures storage accounts meet availability and durability targets amidst failures, weighing lower costs against higher availability. Locally redundant storage offers the least durability at the lowest cost.
Use premium performance block blob storage for high performance workloads
Impact:MediumCategory:Scalability
APRL GUID:5587ef77-7a05-a74d-9c6e-449547a12f27
Description:
Use premium performance block blob storage instead of standard performance storage for workloads that require fast storage response times and/or high transaction rates.
Click the Azure Resource Graph tab to view the query
//cannot-be-validated-with-arg
Enable Soft Delete to protect your data
Impact:MediumCategory:Disaster Recovery
APRL GUID:03263c57-c869-3841-9e0a-3dbb9ef3e28d
Description:
The soft delete option enables data recovery if mistakenly deleted, while the Lock feature prevents the accidental deletion of the storage account itself, ensuring additional security and data integrity measures.
Click the Azure Resource Graph tab to view the query
//under-development
Enable versioning for accidental modification and keep the number of versions below 1000
Impact:LowCategory:Disaster Recovery
APRL GUID:8ebda7c0-e0e1-ed45-af59-2d7ea9a1c05d
Description:
Consider enabling versioning for Azure Storage Accounts to recover from accidental modifications or deletions and manage blob operation latency. Microsoft advises maintaining fewer than 1000 versions per blob to optimize performance. Lifecycle management can help delete old versions automatically.
Click the Azure Resource Graph tab to view the query
//under-development
Enable point-in-time restore for GPv2 accounts to safeguard against data loss
Impact:LowCategory:Disaster Recovery
APRL GUID:1b965cb9-7629-214e-b682-6bf6e450a100
Description:
Consider enabling point-in-time restore for standard general purpose v2 accounts with flat namespace to protect against accidental deletion or corruption by restoring block blob data to an earlier state.
Click the Azure Resource Graph tab to view the query
//under-development
Monitor all blob storage accounts
Impact:LowCategory:Monitoring and Alerting
APRL GUID:96cb8331-6b06-8242-8ce8-4e2f665dc679
Description:
For critical applications and business processes relying on Azure, monitoring and alerts are crucial. Resource logs are only stored after creating a diagnostic setting to route logs to specified locations, requiring selection of log categories to collect.
Click the Azure Resource Graph tab to view the query
//under-development
Consider upgrading legacy storage accounts to v2 storage accounts
Impact:LowCategory:Scalability
APRL GUID:2ad78dec-5a4d-4a30-8fd1-8584335ad781
Description:
General-purpose v2 accounts are recommended for most storage scenarios offering the latest features or the lowest per-gigabyte pricing. Legacy accounts like Standard general-purpose v1 and Blob Storage aren't advised by Microsoft but may fit specific scenarios.
Enable Azure Private Link service for storage accounts
Impact:MediumCategory:Security
APRL GUID:dc55be60-6f8c-461e-a9d5-a3c7686ed94e
Description:
Leverage Azure Private Link Service for secure access to Azure Storage and services via Private Endpoint in your VNet. Eliminate the need for public IPs, ensuring data privacy. Enjoy granular access control for enhanced security.
Potential Benefits:
Secure, private access to storage with no public IPs