Ensure that public (anonymous) access is disabled for all the blob containers available within your Microsoft Azure storage accounts in order to protect your data against unauthorized access. Disabling public access at the storage account level overrides the public access setting configured for the individual blob containers in that storage account.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
A user that is able to access blob containers anonymously can use constructors that don't require credentials such as shared access signatures. Trend Cloud One™ – Conformity strongly recommends disabling anonymous access to all the blob containers provisioned within your Azure storage accounts, unless it is really required. To follow security best practices and keep your data safe and secure in Azure cloud, ensure that your blob containers are not publicly exposed.
Audit
To determine if your Azure storage blob containers are publicly accessible, perform the following actions:
Remediation / Resolution
Case A: To disable public (anonymous) access to all the blob containers within your Microsoft Azure storage accounts, perform the following actions:
Remediation / Resolution
Case B: To disable public (anonymous) access to specific containers within your Microsoft Azure storage account, perform the following operations:
References
- Azure Official Documentation
- Configure anonymous read access for containers and blobs
- Remediate anonymous read access to blob data (Azure Resource Manager deployments)
- Azure Command Line Interface (CLI) Documentation
- az storage account list
- az storage account show
- az storage account update
- az storage container set-permission