prowler icon indicating copy to clipboard operation
prowler copied to clipboard
verified publisher icon prowler-cloud

feat(storage): add new check `storage_account_default_to_entra_authorization_enabled`

Open HugoPBrito opened this issue 6 months ago • 1 comments

Context

This PR enforces the CIS Azure Benchmark control 10.3.3.1: Ensure that 'Default to Microsoft Entra authorization in the Azure portal' is set to 'Enabled' (Automated), aligned with Level 1 profile applicability.

The motivation is to enhance default access security for storage services in the Azure portal by leveraging identity-based authorization instead of less secure alternatives like Shared Key.

Description

This change introduces an automated compliance check to verify that the Azure portal defaults to Microsoft Entra ID (formerly Azure AD) for authorizing requests to Azure Storage resources such as blobs, files, queues, and tables.

Checklist

  • Are there new checks included in this PR? Yes / No
    • If so, do we need to update permissions for the provider? Please review this carefully.
  • [ ] Review if the code is being covered by tests.
  • [ ] Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
  • [ ] Review if backport is needed.
  • [ ] Review if is needed to change the Readme.md
  • [ ] Ensure new entries are added to CHANGELOG.md, if applicable.

API

  • [ ] Verify if API specs need to be regenerated.
  • [ ] Check if version updates are required (e.g., specs, Poetry, etc.).
  • [ ] Ensure new entries are added to CHANGELOG.md, if applicable.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

HugoPBrito avatar Jun 09 '25 13:06 HugoPBrito

Codecov Report

:white_check_mark: All modified and coverable lines are covered by tests. :white_check_mark: Project coverage is 81.19%. Comparing base (f9aed36) to head (4b4dea1). :warning: Report is 462 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #7981      +/-   ##
==========================================
+ Coverage   81.15%   81.19%   +0.03%     
==========================================
  Files         268      269       +1     
  Lines        9557     9576      +19     
==========================================
+ Hits         7756     7775      +19     
  Misses       1801     1801
Flag Coverage Δ
prowler 81.19% <100.00%> (+0.03%) :arrow_up:

Flags with carried forward coverage won't be shown. Click here to find out more.

Components Coverage Δ
prowler 81.19% <100.00%> (+0.03%) :arrow_up:
api ∅ <ø> (∅)
:rocket: New features to boost your workflow:
  • :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • :package: JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

codecov[bot] avatar Jun 09 '25 13:06 codecov[bot]