Description:
The storage account container containing the activity log export should not be publicly accessible.
Rationale:
Allowing public access to activity log content may aid an adversary in identifying weaknesses in the affected account's use or configuration.
Impact:
Configuring container Access policy to private will remove access from the container for everyone except owners of the storage account. Access policy needs to be set explicitly in order to allow access to other desired users.
Default Value:
By default, public access is set to null (allowing only private access) for a container with activity log export.
Audit:
From Azure Console
- Search for Storage Accounts to access Storage account blade
- Click on the storage account name
In Section, Data storage click Containers and then select any one container
3.Click on Change access level
4.Check that Access Policy from Context Menu Public Access Level is set to Private (no anonymous access)
Using Azure Command-Line Interface 2.0
Get storage account id configured with log profile:
az monitor log-profiles list --query [*].storageAccountId
Ensure the container storing activity logs (insights-operational-logs) is not publicly accessible:
az storage container list --account-name <Storage Account Name> --query "[?name=='insights-operational-logs']"
In command, output ensure publicAccess is set to null
Remediation:
From Azure Console
Search for Storage Accounts to access Storage account blade
Click on the storage account name
In Section, Blob Service click Containers. It will list all the containers in the next blade
Look for a record with a container named insight-operational-logs. Click ... from rightmost column to open Context menu
Click Access Policy from Context Menu and set Public Access Level to Private (no anonymous access)
Using Azure Command-Line Interface 2.0
az storage container set-permission --name insights-operational-logs -- account-name <Storage Account Name> --public-access off
Backout Plan:
Search for Storage Accounts to access Storage account blade
Click on the storage account name
In Section Blob Service click Containers. It will list all the containers in next blade
Click on Change access level
Click Access Policy from Context Menu and set Public Access Level to other than private