Description:
Disable anonymous access to blob containers and disallow blob public access on the storage account.
Rationale:
Anonymous, public read access to a container and its blobs can be enabled in Azure Blob storage. It grants read-only access to these resources without sharing the account key, and without requiring a shared access signature. It is recommended not to provide anonymous access to blob containers until, and unless, it is strongly desired. A shared access signature token should be used for providing controlled and timed access to blob containers. If no anonymous access is needed on the storage account, it’s recommended to set allowBlobPublicAccess false.
Impact:
Access using shared access signatures will have to be managed.
Default Value:
By default, the Public access level is set to Private (no anonymous access) for blob containers. By default, AllowBlobPublicAccess is set to Disabled (allow in effect) for the storage account.
Audit:
Sign in to your Azure account.
Go to Storage Accounts
For each storage account, go to Containers under BLOB SERVICE
For each container, click Access policy
Ensure that Public access level is set to Private (no anonymous access)
For each storage account, go to Allow Blob public access in Configuration
Check it is Disabled if no anonymous access is needed on the storage account
Via Azure CLI:
Ensure the below command output contains null
az storage container list --account-name <accountName> --account-key <accountKey> --query '[*].properties.publicAccess'
Ensure allowBlobPublicAccess is false
az storage account show --name <storage-account> --resource-group <resource- group> --query allowBlobPublicAccess --output tsv
Remediation:
Pre-requisites:
Azure account
Azure Storage account
Azure container within a storage account.
Implementation Steps:
Go to Storage Accounts
For each storage account, go to Containers under BLOB SERVICE
For each container, click Access policy
Ensure that Public access level is set to Private (no anonymous access)
For each storage account, go to Allow Blob public access in Configuration
Set Disabled if no anonymous access is needed on the storage account
Using Azure Command-Line Interface 2.0:
Identify the container name from the audit command
Set the permission for public access to private(off) for the above container name, using the below command
az storage container set-permission --name <containerName> --public-access off --account-name <accountName> --account-key <accountKey>
3. Set Disabled if no anonymous access is wanted on the storage account
az storage account update --name <storage-account> --resource-group <resource-group> --allow-blob-public-access false
Backout Plan:
Go to Storage Accounts
For each storage account, go to Containers under BLOB SERVICE
For each container, click Access policy
Ensure that Public access level is set to Private (no anonymous access)
For each storage account, go to Allow Blob public access in Configuration
Set to Enabled if any anonymous access is needed on the storage account
References:
https://docs.microsoft.com/en-us/azure/storage/blobs/storage-manage-access-to- resources
https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access- prevent
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls- v2-network-security#ns-1-implement-security-for-internal-traffic