Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check for Publicly Accessible Activity Log Storage Container

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: Monitor-005

Ensure that the Microsoft Azure storage container where the exported activity log files are saved is not publicly accessible from the Internet, in order to avoid exposing sensitive data and minimize security risks.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Allowing public access to your Azure cloud activity logs can increase the attack surface and the opportunity for malicious activity, as attackers can identify weaknesses in your Azure account's use or configuration when they are able to access the activity log container anonymously.


Audit

To determine if the storage container that stores the activity logs is publicly accessible, perform the following actions:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to Azure Monitor blade at https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/overview.

03 In the blade navigation panel, under Overview, select Activity log to access the activity log created for your Azure cloud account.

04 Choose Export Activity Logs from the console top menu to navigate to the Azure subscription diagnostic settings. Diagnostic settings are used to configure streaming export of Azure cloud platform logs and metrics for a subscription to the destination of your choice.

05 Select the Azure subscription that you want to examine from the Subscription dropdown list.

06 Choose the diagnostic setting where the log destination is a storage account (i.e. the Storage account column contains the account ID), then choose Edit setting to access the feature settings.

07 In the Destination details section, under Archive to a storage account, copy the ID of the storage account used as log file destination, available in the Storage account dropdown list.

08 Navigate to Azure Storage accounts blade at https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Storage%2FStorageAccounts and paste the storage account ID copied at step no. 7 into the Filter for any field… search box.

09 Click on the name (link) of the Azure storage account returned by the filtering process.

10 In the left navigation panel, under Data storage, choose Containers to access the data containers provisioned in the selected storage account.

11 On the Containers listing page, choose the storage container named insights-activity-logs, and check the configuration value available in the Public access level column. If the configuration value is set to Container, the storage container that contains your activity logs is publicly accessible, therefore your Microsoft Azure activity log data can be read using anonymous requests.

12 Repeat steps no. 5 – 11 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run monitor diagnostic-settings subscription list command (Windows/macOS/Linux) with custom query filters to describe the name of each diagnostic setting created for the selected Azure subscription:

az monitor diagnostic-settings subscription list
  --subscription abcdabcd-1234-abcd-1234-abcd1234abcd
  --query 'value[*].name'

02 The command output should return the diagnostic setting identifier(s):

[
  "cc-log-diagnostic-setting"
]

03 Run monitor diagnostic-settings subscription show command (Windows/macOS/Linux) using the name of the diagnostic setting that you want to examine as the identifier parameter and custom query filters to get the ID of the Azure storage account configured to store activity logs within the selected subscription:

az monitor diagnostic-settings subscription show
  --name "cc-log-diagnostic-setting"
  --query 'storageAccountId'

04 The command output should return the full ID of the associated storage account (the ID contains the storage account name):

"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Storage/storageAccounts/abcd1234abcdabcd1234abcd"

05 Run storage container show command (Windows/macOS/Linux) using the ID of the storage account returned at the previous step and the name of the container that stores the activity log files (i.e. "insights-activity-logs") as the identifier parameters, to describe the public access level set for the selected container:

az storage container show
  --account-name abcd1234abcdabcd1234abcd
  --name insights-activity-logs
  --query 'properties.publicAccess'

06 The command output should return the name of the public access level configured for the selected container. There are three levels of public access: Private (no anonymous access), Blob (anonymous read access for blobs only) and Container (anonymous read access for containers and blobs):

"container"

If the storage container show command output returns "container", as shown in the output example above, the storage container that holds your activity log files is publicly accessible, therefore your Microsoft Azure activity log data can be read by anyone using anonymous requests.

07 Repeat steps no. 1 – 6 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To disable anonymous access to the storage container that stores your Microsoft Azure activity logs, perform the following actions:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to Azure Storage accounts blade at https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Storage%2FStorageAccounts.

03 Click on the name (link) of the storage account associated with your Azure subscription diagnostic setting.

04 In the left navigation panel, under Data storage, choose Containers to access the data containers provisioned in the selected storage account.

05 On the Containers listing page, select the storage container named insights-activity-logs and choose Change access level from the console top menu to modify the access level for the selected resource.

06 On the Change access level configuration panel, select Private (no anonymous access) from the Public access level dropdown list to disable anonymous access for the selected storage container. Choose Ok to apply the configuration changes. Setting the container access policy to Private (no anonymous access) will remove access from the container for everyone except the owners of the storage account.

07 Repeat steps no. 3 – 6 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run storage container set-permission command (Windows/macOS/Linux) using the name of the storage container that contains your activity logs (i.e. "insights-activity-logs") as the identifier parameter, to disable anonymous access to the selected data container by setting the public access level to Private (no anonymous access). Setting the container access policy to Private (no anonymous access) will remove access from the container for everyone except the owners of the associated storage account:

az storage container set-permission
  --account-name abcd1234abcdabcd1234abcd
  --name insights-activity-logs
  --public-access off

02 Repeat step no. 1 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Aug 16, 2019