Skip to main content

lacework-global-556

Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible (Manual)

note

This rule has been changed to manual, see Permanently Manual Policies for CIS Azure 1.5.0 for details.

Profile Applicability

• Level 1

Description

The storage account container containing the activity log export should not be publicly accessible.

Rationale

Allowing public access to activity log content may aid an adversary in identifying weaknesses in the affected account's use or configuration.

Impact

Configuring container Access policy to private will remove access from the container for everyone except owners of the storage account. Access policy needs to be set explicitly in order to allow access to other desired users.

Audit

From Azure Portal

  1. From Azure Home select the Portal Menu
  2. Select Diagnostic Settings in the left column.
  3. In section Storage Account, note the name of the Storage account
  4. Close Diagnostic settings. Close the Monitor - Activity Log blade.
  5. In right column, Click service Storage Accounts to access Storage account blade
  6. Click on the storage account name noted in step 4. This will open blade specific to that storage account
  7. In Section Blob Service click Containers. It will list all the containers in next blade
  8. Look for a record with container named as insight-operational-logs. Click ... from right most column to open Context menu
  9. Click Access Policy from Context Menu and ensure Public Access Level is set to Private (no anonymous access)

From Azure CLI

  1. Get storage account id configured with log profile:
az monitor log-profiles list --query [*].storageAccountId
  1. Ensure the container storing activity logs (insights-operational-logs) is not publicly accessible:
az storage container list --account-name <Storage Account Name> --query "[?name=='insights-operational-logs']"

In command output ensure publicAccess is set to null

Remediation

From Azure Portal

  1. From Azure Home select the Portal Menu.
  2. Search for Storage Accounts to access Storage account blade.
  3. Click the Storage Account name.
  4. Under Properties click Blob service.
  5. Check the box next to a container named insight-operational-logs.
  6. Select Change access level from the top menu.
  7. Select Private (no anonymous access) from the drop-down menu.
  8. Click OK.

From Azure CLI

az storage container set-permission --name insights-operational-logs --account-name <Storage Account Name> --public-access off

References

https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-2-secure-cloud-services-with-network-controls