Ensure that 'Public access level' is disabled for storage accounts with blob containers
Anonymous, public read access to a container and its blobs can be enabled in Azure Blob storage. It grants read-only access to these resources without sharing the account key, and without requiring a shared access signature. It is recommended not to provide anonymous access to blob containers until, and unless, it is strongly desired. A shared access signature token should be used for providing controlled and timed access to blob containers.
Risk Level: Critical
Cloud Entity: Azure Storage Account
CloudGuard Rule ID: D9.AZU.NET.66
Covered by Spectral: No
Category: Storage
GSL LOGIC
StorageAccount should not have allowBlobPublicAccess=true
REMEDIATION
From Portal
- Go to
Storage Accounts
- For each storage account, go to
Containers
under theData Storage
heading - For each container, click
Access policy
- Set
Public access level
toPrivate (no anonymous access)
- For each storage account, go to
Allow Blob public access
in Configuration - Set
Disabled
if no anonymous access is needed on the storage account
From TF
Set the 'container_access_type' argument under 'azurerm_storage_container' to 'private':
resource "azurerm_storage_container" "example" {
..
container_access_type = "private"
..
}
From Command Line
- Identify the container name from the audit command
- Set the permission for public access to
private
(off) for the above container name, using the below command
az storage container set-permission --name CONTAINERNAME --public-access off --account-name ACCOUNTNAME --account-key ACCOUNTKEY
- Set Disabled if no anonymous access is wanted on the storage account
az storage account update --name STORAGEACCOUNT--resource-group RESOURCEGROUP --allow-blob-public-access false
References
- https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=portal
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container#container_access_type
- https://docs.azure.cn/zh-cn/cli/storage/account?view=azure-cli-latest#az-storage-account-update
Azure Storage Account
An Azure storage account provides a unique namespace to store and access your Azure Storage data objects. All objects in a storage account are billed together as a group. By default, the data in your account is available only to you, the account owner.
Compliance Frameworks
- Azure CIS Foundations v. 1.4.0
- Azure CIS Foundations v. 1.5.0
- Azure CIS Foundations v.2.0
- Azure CloudGuard Best Practices
- Azure NIST 800-53 Rev 5
- CloudGuard Azure All Rules Ruleset
Updated over 1 year ago