Logo of Trend Micro

Check for Publicly Accessible Web Containers

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: StorageAccounts-016

Ensure that the Microsoft Azure Storage $web containers configured to host static websites within Azure cloud are not publicly accessible in order to eliminate the direct exposure to the public Internet.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

A $web container is used to host a static website within Azure cloud. Updating the public access level of the $web container has no impact on the primary static website endpoint because the files in this blob container are served through anonymous requests and are available only through read operations. However, while the primary static website endpoint is not affected, a change to the public access level does impact the primary blob service endpoint. For example, if the public access level of the $web container changes from Private (no anonymous access) to Blob (anonymous read access for blobs only), the level of public access to the primary static website endpoint (e.g. https://abcd1234abcd1234abcd1234.abc.web.core.windows.net/index.html doesn`t change but the public access to the primary blob service endpoint (e.g. https://abcd1234abcd1234abcd1234.blob.core.windows.net/$web/index.html) does change from private to public, therefore anonymous users can now 1) open index.html by using either of these two endpoints and 2) access other files available within the $web container. For security and compliance purposes only the primary static website endpoint should be publicly accessible, therefore the $web containers should have the "Public access level" configuration setting set to "Private (no anonymous access)."

Note: Static websites are only supported for StorageV2 (general-purpose v2) accounts.

Audit

To determine if there are any publicly accessible $web containers configured to host static websites within your Azure account, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to Azure Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts.

03 On the Storage accounts page, select the subscription that you want to examine from the Subscription filter box.

04 Click on the name of the Azure Storage account that you want to examine.

05 In the navigation panel, under Settings, select Static website to access the static website configuration settings available for the selected storage account.

06 On the static website configuration page, click on the $web link available under Static website to access the blob container created and configured to host your static website.

07 On the $web container Overview page, click on the Change access level button from the dashboard top menu and check Public access level configuration attribute value. If Public access level value is not set to Private (no anonymous access), the selected $web container is publicly accessible to the Internet, therefore both the primary static website endpoint and the blob service endpoint are exposed to anonymous requests.

08 Repeat steps no. 4 – 7 for each storage account available within the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run storage account list command (Windows/macOS/Linux) using custom query filters to describe the name of each storage account available in the current Azure subscription: 

az storage account list
	--query '[*].name'

02 The command output should return the requested storage account identifiers/names: 

[
  "123412341234abcdabcdabcd",
  "abcd1234abcd1234abcd1234"
]

03 Run storage blob service-properties show command (Windows/macOS/Linux) using the name of the storage account that you want to examine as identifier parameter and custom query filters to describe the static website hosting feature status available the selected storage account: 

az storage blob service-properties show
	--account-name 123412341234abcdabcdabcd
	--query 'staticWebsite.enabled'

04 The command output should return the requested configuration status (true for enabled, false for disabled): 

true

05 If the value returned at the previous step is true, the selected Microsoft Azure Storage account is configured to host static websites. Run storage container show command (Windows/macOS/Linux) using the name of the storage account configured to host static websites as identifier parameter, to describe the public access level set for the $web blob container: 

az storage container show
	--name \$web
	--account-name 123412341234abcdabcdabcd
	--query '{"PublicAccessLevel":properties.publicAccess}'

06 The command output should return the name of the configured public access level. There are three levels of public access: Private (no anonymous access), Blob (anonymous read access for blobs only) and Container (anonymous read access for containers and blobs): 

{
  "PublicAccessLevel": "blob"
}

If the value returned for the "PublicAccessLevel" configuration attribute is not null, the selected $web container is publicly accessible to the Internet, therefore both the primary static website endpoint and the blob service endpoint are directly exposed to anonymous requests.

07 Repeat steps no. 3 – 6 for each storage account available within the selected subscription.

08 Repeat steps no. 1 – 7 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To disable anonymous access to the blob containers configured to host static websites within your Azure cloud account (i.e. $web containers), perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to Azure Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts.

03 On the Storage accounts page, select the subscription that you want to examine from the Subscription filter box.

04 Click on the name of the Azure Storage account that you want to access.

05 In the navigation panel, under Blob service, click Containers to access the blob containers provisioned in your storage account.

06 On the Containers listing page, select the $web container, then click Change access level button from the blade top menu.

07 On the Change access level configuration panel, select Private (no anonymous access) option from the Public access level dropdown list to disable anonymous access for the selected blob container. Click Ok to confirm the change.

08 If required, repeat steps no. 4 – 7 for each storage account available in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created within your Microsoft Azure cloud account.

Using Azure CLI and PowerShell

01 Run storage container set-permission command (Windows/macOS/Linux) using the name of the Azure Storage account configured to host static websites as identifier parameter (see Audit section part II to identify the right resource) to disable anonymous access to the selected $web container by setting the "Public access level" configuration option to "Private (no anonymous access)", i.e. set --public-access parameter to off: 

az storage container set-permission
	--name \$web
	--account-name 123412341234abcdabcdabcd
	--public-access off

02 The command output should return the storage container set-permission command request metadata: 

{
  "etag": "\"0xABCDABCDABCDABC\"",
  "lastModified": "2020-01-30T10:27:03+00:00"
}

03 If required, repeat step no. 1 and 2 for each storage account available within the current subscription.

04 Repeat step no. 1 – 3 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Feb 3, 2020

Related StorageAccounts rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Check for Publicly Accessible Web Containers

Risk level: Medium