Below are best practices and recommendation for Azure Storage Account, not limited to Azure but also application to other cloud platforms like AWS and GCP.
•Use separate storage account per application with RBAC to allow only application team to access the application specific data from storage.
•Storage Name – Storage account name should be unique across Azure so use complex naming with index number at the end so that one BU can have multiple storage accounts for one application.
•Disable “public access from all networks” at the time of storage account creation and create private endpoint to access all data over private IP by authorized users.
•Disable blob public access at the time of storage creation so that anonymous ACL’s cannot be added on blob
•Premium – Premium SKU is recommended for all production application where high transaction rates or consistently low storage latency and high IOPS are required. Premium performance storage accounts use solid-state drives (SSDs) for low latency and high throughput.
•Premium does not support GRS replication, so automation is required (PowerShell /CLI) to replicate storage account to DR region.
•Standard – Standard SKU is recommended for all scenarios including dev, test, lab and in some cases prod as standard tier support GRS. – Default
•Appropriate Tags to identify owners, application, environment, BU, chargeback, requester, date created etc.
•Turn ON Diagnostic logging: – Enabling logging for Azure storage account to store all logs in to log analytics.
•Encryption – Enable storage encryption with customer managed key (CMK) and generate encryption key in BU/application specific keyvault.
•Enable Microsoft Defender
