A Privateer plugin that evaluates Azure Blob Storage accounts against the CCC Object Storage catalog controls.
This plugin connects to an Azure Storage Account and evaluates its configuration against the Common Cloud Controls (CCC) Object Storage catalog. It checks encryption, access control, versioning, immutability, logging, network restrictions, and policy compliance — producing a structured report of passed, failed, and review-needed controls.
- Go 1.26.2 or later
- An Azure subscription with a Storage Account to evaluate
- Azure credentials (one of the following):
- An active
az loginsession - A service principal with Reader + Security Reader roles
- A bearer token from
az account get-access-token
- An active
The plugin performs read-only operations. Minimum required roles:
| Role | Scope | Covers |
|---|---|---|
| Reader | Resource group or storage account | Storage properties, blob service, diagnostics, policy assignments |
| Security Reader | Subscription | Microsoft Defender for Storage settings |
git clone https://github.com/revanite-io/pvtr-azure-blob-storage.git
cd pvtr-azure-blob-storage
make buildDownload the latest binary from the releases page.
Copy example-config.yml and customize it:
cp example-config.yml config.ymlAt minimum, set the storageaccountresourceid to your target storage account:
services:
myService1:
plugin: pvtr-azure-blob-storage
policy:
catalogs: ["CCC.ObjStor"]
vars:
storageaccountresourceid: /subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<account-name>The plugin tries authentication methods in this order:
-
Bearer token (short-lived, for one-off runs):
vars: token: <bearer-token>
Generate via:
az account get-access-token --resource https://management.azure.com --query accessToken -o tsv -
Service principal (long-lived, for CI/automation):
vars: clientid: <application-client-id> clientsecret: <client-secret-value> tenantid: <azure-ad-tenant-id>
-
DefaultAzureCredential (no config needed) — uses
az login, managed identity, orAZURE_*environment variables automatically.
This plugin is designed to run via Privateer. See the Privateer documentation for details on running plugins.
For local development and debugging:
make buildThe plugin evaluates controls from two CCC catalogs:
| Control | Description |
|---|---|
| CN01 | Prevent requests with untrusted KMS keys |
| CN02 | Uniform bucket-level access enforcement |
| CN03 | Bucket deletion recovery and immutability |
| CN04 | Default retention policies |
| CN05 | Object versioning |
| CN06 | Access logging |
| CN07 | MFA deletion protection |
| Control | Description |
|---|---|
| CN01 | Encryption in transit (TLS) |
| CN02 | Encryption at rest |
| CN03 | Authentication required |
| CN04 | Access attempts logged |
| CN05 | Network access restricted |
| CN06 | Deployment restricted to regions |
| CN07 | Defender alerts enabled |
| CN09 | Log access controlled |
| CN10 | Replication to untrusted prevented |
| CN11 | Customer-managed keys used |
# Run tests
make test
# Run tests with coverage
make test-cov
# Build
make build
# Tidy dependencies
make tidyWe welcome contributions. See CONTRIBUTING.md for guidelines on how to get started.
Looking for something to work on? Check the contribute page for good first issues.
- privateer-sdk - The SDK this plugin is built on
- go-gemara - Assessment framework types
- Common Cloud Controls - The control catalogs evaluated by this plugin