Ensure that the Microsoft Azure Storage $web containers configured to host static websites within Azure cloud are not publicly accessible in order to eliminate the direct exposure to the public Internet.
This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure
A $web container is used to host a static website within Azure cloud. Updating the public access level of the $web container has no impact on the primary static website endpoint because the files in this blob container are served through anonymous requests and are available only through read operations. However, while the primary static website endpoint is not affected, a change to the public access level does impact the primary blob service endpoint. For example, if the public access level of the $web container changes from Private (no anonymous access) to Blob (anonymous read access for blobs only), the level of public access to the primary static website endpoint (e.g. https://abcd1234abcd1234abcd1234.abc.web.core.windows.net/index.html doesn`t change but the public access to the primary blob service endpoint (e.g. https://abcd1234abcd1234abcd1234.blob.core.windows.net/$web/index.html) does change from private to public, therefore anonymous users can now 1) open index.html by using either of these two endpoints and 2) access other files available within the $web container. For security and compliance purposes only the primary static website endpoint should be publicly accessible, therefore the $web containers should have the "Public access level" configuration setting set to "Private (no anonymous access)."
Note: Static websites are only supported for StorageV2 (general-purpose v2) accounts.
Audit
To determine if there are any publicly accessible $web containers configured to host static websites within your Azure account, perform the following actions:
Remediation / Resolution
To disable anonymous access to the blob containers configured to host static websites within your Azure cloud account (i.e. $web containers), perform the following actions:
References
- Azure Official Documentation
- Configure anonymous public read access for containers and blobs
- Static website hosting in Azure Storage
- Host a static website in Azure Storage
- Azure Command Line Interface (CLI) Documentation
- az storage account list
- az storage blob service-properties show
- az storage container show
- az storage container set-permission
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
Check for Publicly Accessible Web Containers
Risk level: Medium