|   Trend Micro Cloud One™
Open menu

Review Storage Accounts with Static Website Configuration

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Risk level: Medium (should be achieved)

Ensure that all the Microsoft Azure Storage accounts configured to host static websites are regularly reviewed for security and compliance purposes. Upon enabling this rule on your Cloud Conformity console, you must specify the storage account or the list of storage accounts that are expected to host static content (HTML, CSS, JavaScript and image files).

Security

To host static websites using Microsoft Azure Storage service, you need to configure a storage account as web hosting container by adding the necessary configuration. By regularly reviewing the Azure Storage accounts configured to host static websites you make sure that only the desired storage containers are accessible from the primary website endpoint.

Audit

To identify all Azure Storage accounts that host static websites, for reviewing, perform the following actions:

Using Azure Portal

01 Sign in to your Cloud Conformity console, access Review Storage Accounts with Static Website Configuration conformity rule settings and identify the storage account or the list of storage accounts that are allowed to host static websites.

02 Sign in to Azure Management Console.

03 Navigate to Azure Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts.

04 On the Storage accounts page, select the subscription that you want to examine from the Subscription filter box.

05 Click on the name of the Azure Storage account that you want to examine.

06 In the navigation panel, under Settings, select Static website to access the static website configuration settings available for the selected storage account.

07 On the static website configuration page, check the Static website setting state. If the setting state is set to Enabled, the selected Microsoft Azure Storage account is configured to host static websites.

08 Compare the name of the storage account verified at the previous step with each account name identified at step no. 1. If the verified Azure Storage account is not allowed to host static websites, the selected account should be reviewed in order to decide whether or not to disable the website hosting feature.

09 Repeat steps no. 5 – 8 for each storage account available in the selected subscription.

10 Repeat steps no. 4 – 9 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Sign in to your Cloud Conformity console, access Review Storage Accounts with Static Website Configuration conformity rule settings and identify the storage account or the list of storage accounts that are allowed to host static websites.

02 Run storage account list command (Windows/macOS/Linux) using custom query filters to describe the name of each storage account available in the current Azure subscription:

az storage account list
    --query '[*].name'

03 The command output should return the requested storage account identifiers/names:

[
  "abcd1234abcd1234abcd1234",
  "123412341234abcdabcdabcd"
]

04 Run storage blob service-properties show command (Windows/macOS/Linux) using the name of the storage account that you want to examine as identifier parameter and custom query filters to describe the static website hosting feature status set the selected storage account:

az storage blob service-properties show
    --account-name abcd1234abcd1234abcd1234
    --query 'staticWebsite.enabled'

05 The command output should return the requested configuration status (true for enabled, false for disabled):

true

If the boolean value returned by the storage blob service-properties show command output is true, the selected Microsoft Azure Storage account is configured to host static websites.

06 Compare the name of the storage account verified at the previous steps with each account name identified at step no. 1. If the verified Azure Storage account is not allowed to host static websites, the selected resource should be reviewed in order to decide whether or not to disable the website hosting feature.

07 Repeat steps no. 4 – 6 for each storage account available in the current Azure subscription.

08 Repeat steps no. 2 – 7 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

When the static website hosting feature is disabled at the storage account level, Microsoft Azure Storage service removes the website configuration from your storage account so that the web container that serves the static files is no longer accessible from the website endpoint. To disable this feature for all the reviewed storage accounts that are not allowed to host static websites, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to Azure Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts.

03 On the Storage accounts page, select the subscription that you want to access from the Subscription filter box.

04 Click on the name of the Azure Storage account that you want to reconfigure.

05 In the navigation panel, under Settings, select Static website to access the static website configuration settings available for the selected storage account.

06 On the static website configuration page, click Disabled next to Static website to disable the static website hosting feature for the selected Microsoft Azure Storage account. Click Save to apply the changes. Once the feature is disabled, the static content available on the selected storage account web container is no longer accessible from the website endpoint.

07 Repeat steps no. 4 – 6 for each Azure Storage account available in the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription created within your Microsoft Azure cloud account.

Using Azure CLI

01 Run storage blob service-properties update command (Windows/macOS/Linux) using the name of the storage account that you want to reconfigure as identifier parameter to disable the static website hosting feature for the selected Microsoft Azure Storage account:

az storage blob service-properties update
    --account-name abcd1234abcd1234abcd1234
    --static-website false

02 The command output should return the command request metadata (including the static website hosting current configuration):

{
  "cors": [],
  "deleteRetentionPolicy": {
    "days": null,
    "enabled": false
  },
  "hourMetrics": {
    "enabled": true,
    "includeApis": true,
    "retentionPolicy": {
      "days": 7,
      "enabled": true
    },
    "version": "1.0"
  },
  "logging": {
    "delete": false,
    "read": false,
    "retentionPolicy": {
      "days": null,
      "enabled": false
    },
    "version": "1.0",
    "write": false
  },
  "minuteMetrics": {
    "enabled": false,
    "includeApis": null,
    "retentionPolicy": {
      "days": null,
      "enabled": false
    },
    "version": "1.0"
  },
  "staticWebsite": {
    "enabled": false,
    "errorDocument_404Path": null,
    "indexDocument": null
  }
}

03 Repeat step no. 1 and 2 for each storage account available in the current subscription.

04 Repeat steps no. 1 – 3 for each subscription available within your Microsoft Azure cloud account.

References

Publication date Dec 17, 2019

Unlock the Remediation Steps

Gain free unlimited access to our full Knowledge Base


Over 600 rules & best practices for and

Get started for FREE

A verification email will be sent to this address
We keep your information private. Learn more.

Thank you!

Please click the link in the confirmation email sent to

You are auditing:

Review Storage Accounts with Static Website Configuration

Risk level: Medium