Description:

The storage account container containing the activity log export should not be publicly accessible.


Rationale:

Allowing public access to activity log content may aid an adversary in identifying weaknesses in the affected account's use or configuration.


Impact:

Configuring container Access policy to private will remove access from the container for everyone except owners of the storage account. Access policy needs to be set explicitly in order to allow access to other desired users.


Default Value:

By default, public access is set to null (allowing only private access) for a container with activity log export.


Audit:

From Azure Console


  1. Search for Storage Accounts to access Storage account blade
    Click on the storage account name
    In Section, Data storage click Containers and then select any one container

    3.Click on Change access level

    4.Check that Access Policy from Context Menu Public Access Level is set to Private (no anonymous access)


Using Azure Command-Line Interface 2.0

  1. Get storage account id configured with log profile:

    az monitor log-profiles list --query [*].storageAccountId
  2. Ensure the container storing activity logs (insights-operational-logs) is not publicly accessible:

    az storage container list --account-name <Storage Account Name> --query "[?name=='insights-operational-logs']"


In command, output ensure publicAccess is set to null


Remediation:

From Azure Console

  1. Search for Storage Accounts to access Storage account blade

  2. Click on the storage account name

  3. In Section, Blob Service click Containers. It will list all the containers in the next blade

  4. Look for a record with a container named insight-operational-logs. Click ... from rightmost column to open Context menu

  5. Click Access Policy from Context Menu and set Public Access Level to Private (no anonymous access)


Using Azure Command-Line Interface 2.0

az storage container set-permission --name insights-operational-logs -- account-name <Storage Account Name> --public-access off

Backout Plan:

  1. Search for Storage Accounts to access Storage account blade

  2. Click on the storage account name

  3. In Section Blob Service click Containers. It will list all the containers in next blade

  4. Click on Change access level

  5. Click Access Policy from Context Menu and set Public Access Level to other than private


References:

  1. https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access- configure

  2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls- v2-network-security#ns-1-implement-security-for-internal-traffic