|   Trend Micro Cloud One™
Open menu

Disable Anonymous Access to Blob Containers

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Last updated: 11 September 2020
Risk level: Medium (should be achieved)
Rule ID: StorageAccounts-006

Ensure that the "Public access level" configuration setting is set to "Private (no anonymous access)" for all blob containers in your storage account in order to block anonymous access to these Microsoft Azure resources.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

A user that accesses blob containers anonymously can use constructors that do not require credentials such as shared access signatures. Cloud Conformity strongly recommends disabling anonymous access to all blob containers provisioned within your storage account, unless it is really required. Also, to adhere to Azure cloud security best practices, a shared access signature token should be used for providing controlled and timed access to your blob containers.

Audit

To determine if anonymous access to Azure Storage blob containers is disabled, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts.

03 Click on the name (link) of the Azure Storage account that you want to examine.

04 In the navigation panel, under Blob service, click Blobs to access the blob containers provisioned in your storage account.

05 On the Blobs page, choose the container that you want to examine and check the configuration value available in the PUBLIC ACCESS LEVEL column. If the configuration value is set to Container, all container and blob data can be read by anonymous request, therefore the anonymous access to the selected Azure Storage blob container is not disabled.

06 Repeat step no. 5 for each blob container provisioned in the selected storage account.

07 Repeat steps no. 3 – 6 for each storage account available within the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI and PowerShell

01 Run storage account list command (Windows/macOS/Linux) using custom query filters to describe the identifier for each storage account available in the current Azure subscription:

az storage account list 
	--query '[*].name'

02 The command output should return the requested storage account names:

[
  "abcdabcdabcd123412341234",  
  "abcd1234abcd1234abcd1234"
]

03 Run storage container list command (Windows/macOS/Linux) using the name of the storage account that you want to examine as identifier parameter and custom query filters to list the containers available in the selected storage account:

az storage container list
	--account-name abcdabcdabcd123412341234
	--query '[*].name'

04 The command output should return the name of the blob containers within the specified storage account:

[
  "cc-project5-container",
  "cc-staging-container"
]

05 Run storage container show command (Windows/macOS/Linux) using the name of the blob container that you want to examine as identifier parameter to expose the public access level set for the selected container:

az storage container show
	--name cc-blob-container
	--account-name abcdabcdabcd123412341234
	--query 'properties.publicAccess'

06 The command output should return the name of the configured public access level. There are three levels of public access: Private (no anonymous access), Blob (anonymous read access for blobs only) and Container (anonymous read access for containers and blobs):

"container"

If the storage container show command output returns "container", as shown in the example above, the data available on the selected blob container can be read by anonymous request, therefore the anonymous access to the selected Azure Storage blob container is not disabled.

07 Repeat step no. 5 and 6 for each container provisioned in the selected storage account.

08 Repeat steps no. 3 – 7 for each storage account available within the selected subscription.

09 Repeat steps no. 1 – 8 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To disable anonymous access to blob containers within your Microsoft Azure Storage accounts, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts.

03 Click on the name (link) of the Azure Storage account that you want to access.

04 In the navigation panel, under Blob service, click Blobs to access the blob containers provisioned in your storage account.

05 On the Blobs page, select the container that you want to reconfigure (see Audit section part I to identify the right resource), then click Change access level button from the blade top menu.

06 On the Change access level configuration panel, select Private (no anonymous access) option from the Public access level dropdown list to disable anonymous access for the selected blob container. Click Ok to confirm the change.

07 Repeat step no. 5 and 6 for all publicly accessible containers available in the selected storage account.

08 Repeat steps no. 3 – 7 for each storage account available within the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI and PowerShell

01 Run storage container set-permission command (Windows/macOS/Linux) using the name of the blob container that you want to reconfigure as identifier parameter (see Audit section part II to identify the right resource) to disable anonymous access to the selected blob container by setting the "Public access level" configuration option to "Private (no anonymous access)":

az storage container set-permission
	--name cc-project5-container
	--account-name abcdabcdabcd123412341234
	--public-access off

02 Repeat step no. 1 for all publicly accessible containers available in the selected storage account.

03 Repeat step no. 1 and 2 for each storage account available in the current Azure subscription.

04 Repeat step no. 1 – 3 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Jun 12, 2019

Unlock the Remediation Steps

Gain free unlimited access to our full Knowledge Base


Over 600 rules & best practices for and

Get started for FREE

A verification email will be sent to this address
We keep your information private. Learn more.

Thank you!

Please click the link in the confirmation email sent to

You are auditing:

Disable Anonymous Access to Blob Containers

Risk level: Medium