Ensure that Containers and its blobs are not exposed publicly
Anonymous, public read access to a container and its blobs can be enabled in Azure Blob storage. It grants read-only access to these resources without sharing the account key, and without requiring a shared access signature. It is recommended not to provide anonymous access to blob containers until, and unless, it is strongly desired. A shared access signature token should be used for providing controlled and timed access to blob containers.
Risk Level: Critical
Cloud Entity: Azure Storage Account
CloudGuard Rule ID: D9.AZU.NET.67
Covered by Spectral: No
Category: Storage
GSL LOGIC
StorageAccount should not have allowBlobPublicAccess=true and blobContainers contain-any [ publicAccess!='None' ]
REMEDIATION
From Portal
- Go to 'Storage Accounts'.
- For each storage account, go to 'Allow Blob public access' in Configuration.
- Set 'Disabled' if no anonymous access is needed on the storage account.
- If it is 'Enabled' then go to 'Containers' under the 'Data Storage' heading.
- For each container, click 'Access policy'.
- Set 'Public access level' to 'Private (no anonymous access)'.
From Command Line
Set the permission for public access to 'private'(off) for the above container name, using the below command
az storage container set-permission --name CONTAINERNAME --public-access off --account-name ACCOUNTNAME --account-key ACCOUNTKEY
Set Disabled if no anonymous access is wanted on the storage account
az storage account update --name STORAGEACCOUNT--resource-group RESOURCEGROUP --allow-blob-public-access false
References
- https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=portal
- https://learn.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az-storage-account-update
Azure Storage Account
An Azure storage account provides a unique namespace to store and access your Azure Storage data objects. All objects in a storage account are billed together as a group. By default, the data in your account is available only to you, the account owner.
Compliance Frameworks
- Azure CloudGuard Best Practices
- CloudGuard Azure All Rules Ruleset
Updated over 1 year ago