Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible

The storage account container containing the activity log export should not be publicly accessible.

Risk Level: High
Cloud Entity: Azure Storage Account
CloudGuard Rule ID: D9.AZU.LOG.13
Covered by Spectral: No
Category: Storage

GSL LOGIC

StorageAccount where blobContainers with [ name='insights-operational-logs' ] should have blobContainers contain [ publicAccess='None' ]

REMEDIATION

From Portal

Search for Storage Accounts to access Storage account blade
Click on the storage account name
In Section Blob Service click Containers. It will list all the containers in next blade
Look for a record with container named as insight-operational-logs. Click ... from right most column to open Context menu
Click Access Policy from Context Menu and set Public Access Level to Private (no anonymous access)
Click Save.

From TF
Set the 'container_access_type' argument under 'azurerm_storage_container' to 'private':

resource "azurerm_storage_container" "example" {
	..
	container_access_type = "private"
	..
}

From Command Line
Run

az storage container set-permission --name insights-operational-logs --account-name STORAGE ACCOUNT NAME --public-access off

References

Azure Storage Account

An Azure storage account provides a unique namespace to store and access your Azure Storage data objects. All objects in a storage account are billed together as a group. By default, the data in your account is available only to you, the account owner.

Compliance Frameworks

AZU PCI-DSS 4.0
Azure CIS Foundations v. 1.2.0
Azure CIS Foundations v. 1.3.0
Azure CIS Foundations v. 1.3.1
Azure CIS Foundations v. 1.4.0
Azure CIS Foundations v. 1.5.0
Azure CIS Foundations v.2.0
Azure CSA CCM v.4.0.1
Azure CloudGuard Best Practices
Azure NIST 800-53 Rev 5
CloudGuard Azure All Rules Ruleset

Updated about 1 year ago