controls
Access controls (CC6.x)
Identity, authentication, and resource-level access controls.
Description
Controls in this family enforce least-privilege access to Azure resources and require strong authentication for human and workload identities.
Why it matters
Most SOC2 findings start with over-privileged identities. CC6 is your auditor's first stop.
What we check
- MFA enforced on all privileged accounts
- No standing owner role assignments outside PIM
- Storage account public access disabled
- Key Vault firewall configured
Azure permissions needed
- Directory.Read.All
- Reader on each subscription
How to fix
# Disable public network access on a storage account
az storage account update \
--name <name> --resource-group <rg> \
--public-network-access Disabled