Ensure that Containers and its blobs are not exposed publicly

Anonymous, public read access to a container and its blobs can be enabled in Azure Blob storage. It grants read-only access to these resources without sharing the account key, and without requiring a shared access signature. It is recommended not to provide anonymous access to blob containers until, and unless, it is strongly desired. A shared access signature token should be used for providing controlled and timed access to blob containers.

Risk Level: Critical
Cloud Entity: Azure Storage Account
CloudGuard Rule ID: D9.AZU.NET.67
Covered by Spectral: No
Category: Storage

GSL LOGIC

StorageAccount should not have allowBlobPublicAccess=true and blobContainers contain-any [ publicAccess!='None' ]

REMEDIATION

From Portal

  1. Go to 'Storage Accounts'.
  2. For each storage account, go to 'Allow Blob public access' in Configuration.
  3. Set 'Disabled' if no anonymous access is needed on the storage account.
  4. If it is 'Enabled' then go to 'Containers' under the 'Data Storage' heading.
  5. For each container, click 'Access policy'.
  6. Set 'Public access level' to 'Private (no anonymous access)'.

From Command Line

Set the permission for public access to 'private'(off) for the above container name, using the below command

az storage container set-permission --name CONTAINERNAME --public-access off --account-name ACCOUNTNAME --account-key ACCOUNTKEY

Set Disabled if no anonymous access is wanted on the storage account

az storage account update --name STORAGEACCOUNT--resource-group RESOURCEGROUP --allow-blob-public-access false

References

  1. https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=portal
  2. https://learn.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az-storage-account-update

Azure Storage Account

An Azure storage account provides a unique namespace to store and access your Azure Storage data objects. All objects in a storage account are billed together as a group. By default, the data in your account is available only to you, the account owner.

Compliance Frameworks

  • Azure CloudGuard Best Practices
  • CloudGuard Azure All Rules Ruleset