Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Disable Anonymous Access to Blob Containers

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: StorageAccounts-006

Ensure that public (anonymous) access is disabled for all the blob containers available within your Microsoft Azure storage accounts in order to protect your data against unauthorized access. Disabling public access at the storage account level overrides the public access setting configured for the individual blob containers in that storage account.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

A user that is able to access blob containers anonymously can use constructors that don't require credentials such as shared access signatures. Trend Cloud One™ – Conformity strongly recommends disabling anonymous access to all the blob containers provisioned within your Azure storage accounts, unless it is really required. To follow security best practices and keep your data safe and secure in Azure cloud, ensure that your blob containers are not publicly exposed.


Audit

To determine if your Azure storage blob containers are publicly accessible, perform the following actions:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to view all your Microsoft Azure cloud resources.

03 From the Subscription equals all filter box, select the Azure subscription that you want to examine, and choose Apply.

04 From the Type equals all filter box, select Storage account and choose Apply to list only the storage accounts provisioned in your Microsoft Azure account.

05 Click on the name (link) of the storage account that you want to examine.

06 In the resource navigation panel, under Settings, choose Configuration to access the configuration settings available for the selected storage account.

07 Check the Allow Blob anonymous access setting value to determine if the blob anonymous access is enabled for the selected storage account. If Allow Blob anonymous access is set to Enabled, all container and blob data can be read by anonymous users, therefore, the public access to the blob containers within the selected Azure storage account is not disabled.

08 Repeat steps no. 5 – 7 for each Azure storage account available within the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI and PowerShell

01 Run storage account list command (Windows/macOS/Linux) with custom query filters to describe the identifier (ID) of each storage account provisioned in the current subscription:

az storage account list
  --query '[*].id'

02 The command output should return the requested storage account IDs:

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Storage/storageAccounts/abcdabcdabcd123412341234",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Storage/storageAccounts/abcd1234abcd1234abcd1234"
]

03 Run storage account show command (Windows/macOS/Linux) with the ID of the Azure storage account that you want to examine as the identifier parameter, to determine if the blob anonymous access is enabled for the blob containers within the selected storage account:

az storage account show
  --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Storage/storageAccounts/abcdabcdabcd123412341234"
  --query allowBlobPublicAccess

04 The command output should return the Allow Blob anonymous access setting status (true for enabled, false for disabled)

true

If the storage account show command output returns true, as shown in the example above, the container and blob data can be read by anonymous users, therefore, the public access to the blob containers in the selected Azure storage account is not disabled.

05 Repeat steps no. 3 and 4 for each Azure storage account available within the selected subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

Case A: To disable public (anonymous) access to all the blob containers within your Microsoft Azure storage accounts, perform the following actions:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to view all your Microsoft Azure cloud resources.

03 From the Subscription equals all filter box, select the Azure subscription that you want to access, and choose Apply.

04 From the Type equals all filter box, select Storage account and choose Apply to list the storage accounts provisioned in your Microsoft Azure account.

05 Click on the name (link) of the storage account that you want to configure.

06 In the resource navigation panel, under Settings, choose Configuration to access the configuration settings available for the selected storage account.

07 Select Disabled under Allow Blob anonymous access to disable public (anonymous) access to your blob containers at the storage account level. Choose Save to apply the configuration changes.

08 Repeat steps no. 5 – 7 for each Azure storage account available within the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI and PowerShell

01 Run az storage account update command (Windows/macOS/Linux) with the ID of the Azure storage account that you want to configure as the identifier parameter, to disable public (anonymous) access to all the blobs or containers available in the selected storage account:

az storage account update
  --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Storage/storageAccounts/abcdabcdabcd123412341234"
  --allow-blob-public-access false

02 Repeat step no. 1 for each Azure storage account available in the current Azure subscription.

03 Repeat steps no. 1 and 2 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

Case B: To disable public (anonymous) access to specific containers within your Microsoft Azure storage account, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to view all your Microsoft Azure cloud resources.

03 From the Subscription equals all filter box, select the Azure subscription that you want to access, and choose Apply.

04 From the Type equals all filter box, select Storage account and choose Apply to list the storage accounts provisioned in your Microsoft Azure account.

05 Click on the name (link) of the storage account that you want to access.

06 In the resource navigation panel, under Data storage, choose Containers to access the blob containers provisioned in the selected storage account.

07 Select the container that you want to configure and choose Change access level.

08 On the Change access level configuration panel, select Private (no anonymous access) from the Anonymous access level dropdown list to disable anonymous access for the selected blob container. Choose Ok to confirm the configuration change.

09 Repeat steps no. 7 and 8 for all publicly accessible containers available in the selected Azure storage account.

10 Repeat steps no. 5 – 9 for each storage account available within the selected subscription.

11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI and PowerShell

01 Run storage container set-permission command (Windows/macOS/Linux) with the name of the blob container that you want to configure as the identifier parameter, to disable public (anonymous) access to the selected blob container by setting the --public-access command parameter to off:

az storage container set-permission
  --name cc-project5-container
  --account-name abcdabcdabcd123412341234
  --public-access off

02 Repeat step no. 1 for all publicly accessible containers available in the selected Azure storage account.

03 Repeat step no. 1 and 2 for each storage account available in the current Azure subscription.

04 Repeat step no. 1 – 3 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Jun 12, 2019