Description:

Disable anonymous access to blob containers and disallow blob public access on the storage account.


Rationale:

Anonymous, public read access to a container and its blobs can be enabled in Azure Blob storage. It grants read-only access to these resources without sharing the account key, and without requiring a shared access signature. It is recommended not to provide anonymous access to blob containers until, and unless, it is strongly desired. A shared access signature token should be used for providing controlled and timed access to blob containers. If no anonymous access is needed on the storage account, it’s recommended to set allowBlobPublicAccess false.


Impact:

Access using shared access signatures will have to be managed.


Default Value:

By default, the Public access level is set to Private (no anonymous access) for blob containers. By default, AllowBlobPublicAccess is set to Disabled (allow in effect) for the storage account.


Audit:

  1. Sign in to your Azure account.

  2. Go to Storage Accounts

  3. For each storage account, go to Containers under BLOB SERVICE

  4. For each container, click Access policy

  5. Ensure that Public access level is set to Private (no anonymous access)

  6. For each storage account, go to Allow Blob public access in Configuration

  7. Check it is Disabled if no anonymous access is needed on the storage account

Via Azure CLI:

  • Ensure the below command output contains null

az storage container list  --account-name <accountName> --account-key <accountKey> --query '[*].properties.publicAccess'
  • Ensure allowBlobPublicAccess is false

az storage account show --name <storage-account> --resource-group <resource- group> --query allowBlobPublicAccess --output tsv

Remediation:

Pre-requisites:

  1. Azure account

  2. Azure Storage account

  3. Azure container within a storage account.

Implementation Steps:

  1. Go to Storage Accounts

  2. For each storage account, go to Containers under BLOB SERVICE

  3. For each container, click Access policy

  4. Ensure that Public access level is set to Private (no anonymous access)

  5. For each storage account, go to Allow Blob public access in Configuration

  6. Set Disabled if no anonymous access is needed on the storage account

Using Azure Command-Line Interface 2.0:

  1. Identify the container name from the audit command

  2. Set the permission for public access to private(off) for the above container name, using the below command

az storage container set-permission --name <containerName> --public-access off --account-name <accountName> --account-key <accountKey>

  3. Set Disabled if no anonymous access is wanted on the storage account

az storage account update --name <storage-account> --resource-group <resource-group> --allow-blob-public-access false

Backout Plan:

  1. Go to Storage Accounts

  2. For each storage account, go to Containers under BLOB SERVICE

  3. For each container, click Access policy

  4. Ensure that Public access level is set to Private (no anonymous access)

  5. For each storage account, go to Allow Blob public access in Configuration

  6. Set to Enabled if any anonymous access is needed on the storage account

References: