Request for clarification on CCC.C05.TR04

[sarahecraddock]

Support Question

I am working on the Azure Raid for Azure Blob Storage and I have a question about a specific control test: CCC.C05.TR04: The service prevents unauthorized cross-tenant access, ensuring that only allowlisted services from other tenants can access resources.

What is this test intended to test, from the authorized reference I presume this is referring to access at the authorization level rather than network level access to the resource. In Azure access to storage accounts is via RBAC, or SAS key, or public anon access. I have currently written tests for SAS key access and public anon access being disabled, which is a best practise for secure Azure blob storage. This means that only RBAC will enable access, and any identity whether cross tenant or within the tenant will need to have the correct role assigned to access the resource. Is there anything I am missing here as none of these are cross tenant-specific...

[mlysaght2017]

@sarahecraddock @eddie-knight:

Since the control specifically mentions cross-tenant access and allowlisted services, it should be read as additional restrictions or authorizations are required to control access for entities coming from outside the primary Azure tenant.

This may need to be more explicit. Intention here is more like:

Default deny: The control denies all cross-tenant access by default, allowing access only when cross-tenant is explicitly allowlisted

[sarahecraddock]

Notes from working session call:

• @mlysaght2017 to split this control out into an Identity focused control and a network focused control.
• External tenant test will be identity focused around controls preventing external users being added to the tenant, in order to be given permissions on resources in the tenant.
• Identity control to include SAS keys (or more generic cloud terminology) to be disabled to prevent credential leakage
• Also need to look into adding CMK as a requirement to the encryption at rest control