S360 问题 - 禁用非产品存储帐户的本地身份验证

这将创建不能将 allowSharedKeyAccess 设置为 False 的存储帐户。 即使我们使用现有存储，也无法禁用共享访问密钥。文档此处。

正如您所说，您使用的部署脚本设置需要启用共享密钥访问的 Azure 存储帐户的资源。这违反了要求关闭共享密钥访问的 S360 准则。

您可以使用此 MS-Document（PowerShell、Cli 和模板）

命令：

az storage account update \ 
  --name  <storage-account> \ 
  --resource-group  <resource-group> \ 
  --allow-shared-key-access  false

输出：

venkatesan [ ~ ]$ az storage account update --name venkatzzz123 --resource-group venkzzz-rg --allow-shared-key-access false
{
  "accessTier": "Hot",
  "accountMigrationInProgress": null,
  "allowBlobPublicAccess": true,
  "allowCrossTenantReplication": false,
  "allowSharedKeyAccess": false,
  "allowedCopyScope": null,
  "azureFilesIdentityBasedAuthentication": null,
  "blobRestoreStatus": null,
  "creationTime": "2024-07-11T06:19:00.608375+00:00",
  "customDomain": null,
  "defaultToOAuthAuthentication": false,
  "dnsEndpointType": "Standard",
  "enableExtendedGroups": null,
  "enableHttpsTrafficOnly": true,
  "enableNfsV3": null,
  "encryption": {
    "encryptionIdentity": null,
    "keySource": "Microsoft.Storage",
    "keyVaultProperties": null,
    "requireInfrastructureEncryption": false,
    "services": {
      "blob": {
        "enabled": true,
        "keyType": "Account",
        "lastEnabledTime": "2024-07-11T06:19:00.748996+00:00"
      },
      "file": {
        "enabled": true,
        "keyType": "Account",
        "lastEnabledTime": "2024-07-11T06:19:00.748996+00:00"
      },
      "queue": null,
      "table": null
    }
  },
  "extendedLocation": null,
  "failoverInProgress": null,
  "geoReplicationStats": null,
  "id": "/subscriptions/b8287d24-6b90-4f69-a971-e7c0e43fec67/resourceGroups/venkatesan-rg/providers/Microsoft.Storage/storageAccounts/venkat326123",
  "identity": null,
  "immutableStorageWithVersioning": null,
  "isHnsEnabled": null,
  "isLocalUserEnabled": null,
  "isSftpEnabled": null,
  "isSkuConversionBlocked": null,
  "keyCreationTime": {
    "key1": "2024-07-11T06:19:00.748996+00:00",
    "key2": "2024-07-11T06:19:00.748996+00:00"
  },
  "keyPolicy": null,
  "kind": "StorageV2",
  "largeFileSharesState": "Enabled",
  "lastGeoFailoverTime": null,
  "location": "eastus",
  "minimumTlsVersion": "TLS1_2",
  "name": "venkat326123",
  "networkRuleSet": {
    "bypass": "AzureServices",
    "defaultAction": "Allow",
    "ipRules": [],
    "ipv6Rules": [],
    "resourceAccessRules": null,
    "virtualNetworkRules": []
  },
  "primaryEndpoints": {
    "blob": "https://venkat326123.blob.core.windows.net/",
    "dfs": "https://venkat326123.dfs.core.windows.net/",
    "file": "https://venkat326123.file.core.windows.net/",
    "internetEndpoints": null,
    "microsoftEndpoints": null,
    "queue": "https://venkat326123.queue.core.windows.net/",
    "table": "https://venkat326123.table.core.windows.net/",
    "web": "https://venkat326123.z13.web.core.windows.net/"
  },
  "primaryLocation": "eastus",
  "privateEndpointConnections": [],
  "provisioningState": "Succeeded",
  "publicNetworkAccess": "Enabled",
  "resourceGroup": "venkatesan-rg",
  "routingPreference": null,
  "sasPolicy": null,
  "secondaryEndpoints": {
    "blob": "https://venkat326123-secondary.blob.core.windows.net/",
    "dfs": "https://venkat326123-secondary.dfs.core.windows.net/",
    "file": null,
    "internetEndpoints": null,
    "microsoftEndpoints": null,
    "queue": "https://venkat326123-secondary.queue.core.windows.net/",
    "table": "https://venkat326123-secondary.table.core.windows.net/",
    "web": "https://venkat326123-secondary.z13.web.core.windows.net/"
  },
  "secondaryLocation": "westus",
  "sku": {
    "name": "Standard_RAGRS",
    "tier": "Standard"
  },
  "statusOfPrimary": "available",
  "statusOfSecondary": "available",
  "storageAccountSkuConversionStatus": null,
  "tags": {},
  "type": "Microsoft.Storage/storageAccounts"
}

您可以在门户中验证。

禁用共享密钥访问后，您可以使用托管身份验证进行身份验证。