Detections
Analytics

3.7 Ensure that 'Public access level' is disabled for storage accounts with blob containers

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Disallowing public access for a storage account overrides the public access settings for individual containers in that storage account.

Rationale:

The default configuration for a storage account permits a user with appropriate permissions to configure public (anonymous) access to containers and blobs in a storage account. Keep in mind that public access to a container is always turned off by default and must be explicitly configured to permit anonymous requests. It grants read-only access to these resources without sharing the account key, and without requiring a shared access signature. It is recommended not to provide anonymous access to blob containers until, and unless, it is strongly desired. A shared access signature token or Azure AD RBAC should be used for providing controlled and timed access to blob containers. If no anonymous access is needed on any container in the storage account, it's recommended to set allowBlobPublicAccess false at the account level, which forbids any container to accept anonymous access in the future.

Impact:

Access will have to be managed using shared access signatures or via Azure AD RBAC.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

From Azure Console
First, follow Microsoft documentation and create shared access signature tokens for your blob containers. Then,

Go to Storage Accounts

For each storage account, go to Allow Blob public access in Configuration

Set Disabled if no anonymous access is needed on the storage account

Alternatively, if some containers must be made public (so 'Allow Blob public access' is enabled) ,

For each storage account, go to Containers under the Data Storage heading

For each private container, click Access policy

Set Public access level to Private (no anonymous access)

From Azure CLI
First, follow Microsoft documentation and created shared access signature tokens for your blob containers. Then, if no anonymous access is wanted (as recommended here),

Set 'Allow Blob Public Access' to false on the storage account

az storage account update --name <storage-account> --resource-group <resource-group> --allow-blob-public-access false

Alternatively, if some containers must be made public (so 'Allow Blob public access' is enabled) ,

Identify the container name from the audit command

Set the permission for public access to private(off) for the above container name, using the below command

az storage container set-permission --name <containerName> --public-access off --account-name <accountName> --account-key <accountKey>

Default Value:

By default, Public access level is set to Private (no anonymous access) for blob containers. By default, AllowBlobPublicAccess is set to Null (allow in effect) for storage account.

See Also

https://workbench.cisecurity.org/files/4052

Item Details

References: CSCv7|14.6

Plugin: microsoft_azure

Control ID: acc89f18af7c25498ae99fbd13247a22da0287139040b827563e38678196d383