Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible

The storage account container containing the activity log export should not be publicly accessible.

Risk Level: High
Cloud Entity: Azure Storage Account
CloudGuard Rule ID: D9.AZU.LOG.13
Covered by Spectral: No
Category: Storage

GSL LOGIC

StorageAccount where blobContainers with [ name='insights-operational-logs' ] should have blobContainers contain [ publicAccess='None' ]

REMEDIATION

From Portal

  1. Search for Storage Accounts to access Storage account blade
  2. Click on the storage account name
  3. In Section Blob Service click Containers. It will list all the containers in next blade
  4. Look for a record with container named as insight-operational-logs. Click ... from right most column to open Context menu
  5. Click Access Policy from Context Menu and set Public Access Level to Private (no anonymous access)
  6. Click Save.

From TF
Set the 'container_access_type' argument under 'azurerm_storage_container' to 'private':

resource "azurerm_storage_container" "example" {
	..
	container_access_type = "private"
	..
}

From Command Line
Run

az storage container set-permission --name insights-operational-logs --account-name STORAGE ACCOUNT NAME --public-access off

References

  1. https://docs.microsoft.com/en-us/azure/storage/common/storage-require-secure-transfer
  2. https://docs.microsoft.com/en-us/cli/azure/storage/container?view=azure-cli-latest#az-storage-container-set-permission
  3. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container#container_access_type

Azure Storage Account

An Azure storage account provides a unique namespace to store and access your Azure Storage data objects. All objects in a storage account are billed together as a group. By default, the data in your account is available only to you, the account owner.

Compliance Frameworks

  • AZU PCI-DSS 4.0
  • Azure CIS Foundations v. 1.2.0
  • Azure CIS Foundations v. 1.3.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CSA CCM v.4.0.1
  • Azure CloudGuard Best Practices
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset