Check for Publicly Accessible Activity Log Storage Container

Risk level: High (not acceptable risk)

Ensure that the Microsoft Azure storage container where the exported activity log files are saved is not publicly accessible from the Internet in order to avoid exposing sensitive data and minimize security risks.

Security

Allowing public access to your Azure cloud activity logs can increase the attack surface and the opportunity for malicious activity, as attackers can identify weaknesses in your Azure account's use or configuration when they are able to access the activity log container anonymously.

Audit

To determine if the storage container holding the activity logs is publicly accessible, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Monitor blade at https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview.

03 In the navigation panel, select Activity log to access the activity log available in your Azure cloud account.

04 From the Subscription filter box, select the Azure account subscription that you want to examine.

05 On the Activity log page, click Export to Event Hub to access your Azure Log profile configuration settings.

06 On the Export activity log panel, click on the Storage account tab and copy the identifier of the storage container that holds the activity logs, available in the Storage account box.

07 Navigate to Azure Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts and paste the storage account ID copied at step no. 6 into the Filter by name box.

08 Click on the name of the Azure storage account returned by the filtering process.

09 In the navigation panel, under Blob service, click Blobs to access the blob containers provisioned in the selected storage account.

10 On the Blobs page, choose the storage container named insights-operational-logs, and check the configuration value available in the PUBLIC ACCESS LEVEL column. If the configuration value is set to Container, the Microsoft Azure storage container that contains your activity logs is publicly accessible, hence your Azure activity log data can be read using anonymous requests.

11 Repeat steps no. 4 – 10 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run monitor log-profiles list command (Windows/macOS/Linux) using custom query filters to get the identifier (ID) of the Azure storage account configured to store activity logs within the current Azure subscription:

az monitor log-profiles list 
   --query '[*].storageAccountId'

02 The command output should return the ID of the associated Azure storage account:

[
  "abcd1234abcd1234abcd1234"
]

03 Run storage container show command (Windows/macOS/Linux) using the ID of the storage account returned at the previous step and the name of the blob container that stores the activity log files as identifier parameters to expose the public access level set for the selected container:

az storage container show
	--account-name abcd1234abcd1234abcd1234
	--name insights-operational-logs
	--query 'properties.publicAccess'

04 The command output should return the name of the configured public access level. There are three levels of public access: Private (no anonymous access), Blob (anonymous read access for blobs only) and Container (anonymous read access for containers and blobs):

"container"

If the storage container show command output returns "container", as shown in the example above, the Microsoft Azure storage container that holds your activity log files is publicly accessible, therefore your Azure activity log data can be read by anyone using anonymous requests.

05 Repeat steps no. 1 – 4 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To disable anonymous access to the Azure blob container that stores your Microsoft Azure activity logs, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts.

03 Click on the name of the Azure storage account associated with your Log Profile (see Audit section part I to identify the right account).

04 In the navigation panel, under Blob service, click Blobs to access the blob containers provisioned for the selected storage account.

05 On the Blobs page, select the storage container that you want to reconfigure, i.e. insights-operational-logs container, then click Change access level button from the blade top menu.

06 On the Change access level configuration panel, select Private (no anonymous access) option from the Public access level dropdown list to disable anonymous access for the selected blob container. Click Ok to apply the configuration change. Setting the container access policy to Private (no anonymous access) will remove access from the container for everyone except the owners of the storage account.

07 Repeat steps no. 3 – 6 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run storage container set-permission command (Windows/macOS/Linux) using the name of the storage container that contains your activity logs (i.e. insights-operational-logs) as identifier parameter, to disable anonymous access to the selected blob container by setting the "Public access level" configuration option to Private (no anonymous access). Setting the container access policy to Private (no anonymous access) will remove access from the container for everyone except the owners of the associated storage account:

az storage container set-permission
	--account-name abcd1234abcd1234abcd1234
	--name insights-operational-logs
	--public-access off

02 Repeat step no. 1 for each subscription created within your Microsoft Azure cloud account.

References

Azure Official Documentation
Overview of Azure Activity log
Export Azure Activity log to storage or Azure Event Hubs
Manage anonymous read access to containers and blobs
CIS Microsoft Azure Foundations

Azure Command Line Interface (CLI) Documentation
az monitor log-profiles
az monitor log-profiles list
az storage container show
az storage container set-permission

Publication date Aug 16, 2019

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for and

You are auditing:

Check for Publicly Accessible Activity Log Storage Container

Risk level: High

Audit

Using Azure Console

Using Azure CLI

Remediation / Resolution

Using Azure Console

Using Azure CLI

References

Related Monitor rules