Skip to main content

lacework-global-532

Disable 'Public access level' for storage accounts with blob containers (Automated)

Profile Applicability

• Level 1

Description

Disallowing public access for a storage account overrides the public access settings for individual containers in that storage account.

Rationale

The default configuration for a storage account permits a user with appropriate permissions to configure public (anonymous) access to containers and blobs in a storage account. Keep in mind that public access to a container is always turned off by default and must be explicitly configured to permit anonymous requests. It grants read-only access to these resources without sharing the account key, and without requiring a shared access signature. It is recommended not to provide anonymous access to blob containers until, and unless, it is strongly desired. A shared access signature token or Azure AD RBAC should be used for providing controlled and timed access to blob containers. If no anonymous access is needed on any container in the storage account, it’s recommended to set allowBlobPublicAccess false at the account level, which forbids any container to accept anonymous access in the future.

Impact

Access will have to be managed using shared access signatures or via Azure AD RBAC.

Audit

From Azure Console

  1. Go to Storage Accounts.
  2. For each storage account, go to the Configuration setting under Settings.
  3. Check if Allow Blob anonymous access is Disabled.

From Azure CLI

Ensure allowBlobPublicAccess is false

az storage account show --name <storage-account> --resource-group <resource-group> --query allowBlobPublicAccess --output tsv

Remediation

From Azure Console

First, follow Microsoft documentation and create shared access signature tokens for your blob containers. Then:

  1. Go to Storage Accounts.
  2. For each storage account, go to Configuration in Settings.
  3. Set Allow Blob anonymous access to Disabled.

From Azure CLI

First, follow Microsoft documentation and create shared access signature tokens for your blob containers. Then:

  1. Set '--allow-blob-public-access' to false on the storage account:
az storage account update --name <storage-account> --resource-group <resource-group> --allow-blob-public-access false

References

https://docs.microsoft.com/en-us/azure/storage/blobs/storage-manage-access-to-resources
https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-2-define-and-implement-enterprise-segmentationseparation-of-duties-strategy
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-2-secure-cloud-services-with-network-controls
https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure
https://docs.microsoft.com/en-us/azure/storage/blobs/assign-azure-role-data-access