Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Disable Anonymous Access to Storage Accounts with Blob Containers

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: StorageAccounts-022

Ensure that the public (anonymous) access to blob containers is disabled at the Azure Storage account level in order to protect your data against unauthorized access. Disabling public access at the storage account level overrides the public access setting configured for the individual blob containers in that storage account.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

To follow security best practices and keep your blob data safe and secure in Azure cloud, ensure that your Azure Storage blob containers are not publicly exposed. Trend Cloud One™ – Conformity strongly recommends disabling anonymous access to all the blob containers provisioned within your Azure storage account, unless absolutely necessary.

Audit

To determine whether public access to blob containers is disabled at the storage account level, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Storage account, and choose Apply to list only the storage accounts available in the selected Azure subscription.

05 Click on the name (link) of the storage account that you want to examine.

06 In the resource navigation panel, under Settings, choose Configuration to access the configuration settings available for the selected storage account.

07 Check the Allow Blob anonymous access configuration setting value to determine if the blob anonymous access is enabled for the selected storage account. If Allow Blob anonymous access is set to Enabled, all container and blob data can be read by anonymous users. As a result, the public access to the blob containers within the selected Azure Storage account is not disabled at the storage account level.

08 Repeat steps no. 5 – 7 for each Azure Storage account available in the selected subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run storage account list command (Windows/macOS/Linux) with custom output filters to describe the identifier (ID) of each storage account provisioned in the selected Azure subscription: 

az storage account list
	--query '[*].id'

05 The command output should return the requested storage account IDs: 

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Storage/storageAccounts/blobdatastorageaccount",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Storage/storageAccounts/cloudaistorageaccount"
]

06 Run storage account show command (Windows/macOS/Linux) with the ID of the Azure Storage account that you want to examine as the identifier parameter, to determine if the public (anonymous) access is enabled for all the blob containers in the selected storage account: 

az storage account show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Storage/storageAccounts/blobdatastorageaccount"
	--query allowBlobPublicAccess

07 The command output should return the Allow Blob anonymous access setting status (true for enabled, false for disabled): 

true

If the storage account show command output returns true, as shown in the example above, all container and blob data can be read by anonymous users. As a result, the public access to the blob containers in the selected Azure Storage account is not disabled at the storage account level.

08 Repeat steps no. 6 and 7 for each Azure Atorage account available in the selected subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To disable public access to all the blob containers available within your Microsoft Azure Storage account, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Storage account, and choose Apply to list only the storage accounts available in the selected Azure subscription.

05 Click on the name (link) of the storage account that you want to configure.

06 In the resource navigation panel, under Settings, choose Configuration to access the configuration settings available for the selected storage account.

07 Select Disabled under Allow Blob anonymous access to disable public access to all the blob containers in the selected Azure Storage account (i.e., disable blob anonymous access at the storage account level). Choose Save to apply the configuration changes.

08 Repeat steps no. 5 – 7 for each Azure Storage account available within the selected subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run az storage account update command (Windows/macOS/Linux) with the ID of the Microsoft Azure Storage account that you want to configure as the identifier parameter, to disable public (anonymous) access to all the blobs containers available in the selected storage account: 

az storage account update
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Storage/storageAccounts/blobdatastorageaccount"
	--allow-blob-public-access false

05 The command output should return the configuration information available for the modified storage account: 

{
	"accessTier": "Hot",
	"accountMigrationInProgress": null,
	"allowBlobPublicAccess": false,
	"allowCrossTenantReplication": false,
	"allowSharedKeyAccess": true,
	"allowedCopyScope": null,
	"azureFilesIdentityBasedAuthentication": null,
	"blobRestoreStatus": null,
	"customDomain": null,
	"defaultToOAuthAuthentication": false,
	"dnsEndpointType": "Standard",
	"enableExtendedGroups": null,
	"enableHttpsTrafficOnly": true,
	"enableNfsV3": null,
	"extendedLocation": null,
	"geoReplicationStats": null,

	...

	"primaryLocation": "westeurope",
	"privateEndpointConnections": [],
	"provisioningState": "Succeeded",
	"publicNetworkAccess": "Enabled",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"routingPreference": null,
	"sasPolicy": null,
	"secondaryEndpoints": null,
	"secondaryLocation": "northeurope",
	"sku": {
		"name": "Standard_GRS",
		"tier": "Standard"
	},
	"statusOfPrimary": "available",
	"statusOfSecondary": "available",
	"storageAccountSkuConversionStatus": null,
	"tags": {},
	"type": "Microsoft.Storage/storageAccounts"
}

06 Repeat steps no. 4 and 5 for each Azure storage account available in the selected Azure subscription.

07 Repeat steps no. 3 - 6 for each Azure subscription created in your Microsoft Azure cloud account.

References

Publication date Jun 12, 2019

Related StorageAccounts rules