Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible

HIGH

Description

Description:

The storage account container containing the activity log export should not be publicly accessible.

Rationale:

Allowing public access to activity log content may aid an adversary in identifying weaknesses in the affected account's use or configuration.

Configuring container 'Access policy' to 'private' will remove access from the container for everyone except owners of the storage account. Access policy needs to be set explicitly in order to allow access to other desired users.

Remediation

From Azure Portal

From Azure Home select the Portal Menu
Search for 'Storage Accounts' to access Storage account blade
Click on the storage account name
Click on 'Configuration' under settings
Select 'Enabled' under "Allow Blob public access"

From Azure CLI

az storage container set-permission --name insights-activity-logs --account-name --sas-token --public-access off

From PowerShell

Create a new storage account context for the storage account holding the 'insight-activity-logs' container making sure to use a valid 'Shared Access Signature (SAS)' token.

$context = New-AzStorageContext -StorageAccountName -SasToken ""

Change the 'insights-activity-logs' container public access to 'off'

Set-AzStorageContainerAcl -Context $context -Name "insights-activity-logs" -Permission Off -PassThru

Policy Details

Rule Reference ID: AC_AZURE_0232

CSP: Azure

Remediation Available: Yes

Domain: Infrastructure Security

Resource: azurerm_storage_container

Resource Category: Storage

Resource Type: Storage Accounts

Frameworks

CIS Azure Foundations v1.5.0 Level 2
CIS Azure Foundations v1.3.0
CIS Azure Foundations v1.4.0 Level 1
CIS Azure Foundations v2.0.0 Level 1
CSCv8
NIST-800-53
NIST-800-171
NIST-CSF
GDPR
HIPAA
ISO-27001
CSCv7

Detections

Analytics