Ensure that 'Public access level' is disabled for storage accounts with blob containers

Anonymous, public read access to a container and its blobs can be enabled in Azure Blob storage. It grants read-only access to these resources without sharing the account key, and without requiring a shared access signature. It is recommended not to provide anonymous access to blob containers until, and unless, it is strongly desired. A shared access signature token should be used for providing controlled and timed access to blob containers.

Risk Level: Critical
Cloud Entity: Azure Storage Account
CloudGuard Rule ID: D9.AZU.NET.66
Covered by Spectral: No
Category: Storage

GSL LOGIC

StorageAccount should not have allowBlobPublicAccess=true

REMEDIATION

From Portal

  1. Go to Storage Accounts
  2. For each storage account, go to Containers under the Data Storage heading
  3. For each container, click Access policy
  4. Set Public access level to Private (no anonymous access)
  5. For each storage account, go to Allow Blob public access in Configuration
  6. Set Disabled if no anonymous access is needed on the storage account

From TF
Set the 'container_access_type' argument under 'azurerm_storage_container' to 'private':

resource "azurerm_storage_container" "example" {
	..
	container_access_type = "private"
	..
}

From Command Line

  1. Identify the container name from the audit command
  2. Set the permission for public access to private(off) for the above container name, using the below command
az storage container set-permission --name CONTAINERNAME --public-access off --account-name ACCOUNTNAME --account-key ACCOUNTKEY
  1. Set Disabled if no anonymous access is wanted on the storage account
az storage account update --name STORAGEACCOUNT--resource-group RESOURCEGROUP --allow-blob-public-access false

References

  1. https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=portal
  2. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container#container_access_type
  3. https://docs.azure.cn/zh-cn/cli/storage/account?view=azure-cli-latest#az-storage-account-update

Azure Storage Account

An Azure storage account provides a unique namespace to store and access your Azure Storage data objects. All objects in a storage account are billed together as a group. By default, the data in your account is available only to you, the account owner.

Compliance Frameworks

  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CloudGuard Best Practices
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset