Ensure that public (anonymous) access is disabled for all the blob containers available within your Microsoft Azure storage accounts in order to protect your data against unauthorized access. Disabling public access at the storage account level overrides the public access setting configured for the individual blob containers in that storage account.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
A user that is able to access blob containers anonymously can use constructors that don't require credentials such as shared access signatures. Trend Cloud One™ – Conformity strongly recommends disabling anonymous access to all the blob containers provisioned within your Azure storage accounts, unless it is really required. To follow security best practices and keep your data safe and secure in Azure cloud, ensure that your blob containers are not publicly exposed.
Audit
To determine if your storage blob containers are publicly accessible, perform the following actions:
Remediation / Resolution
Case A: To disable public (anonymous) access to all the blob containers within your Microsoft Azure storage accounts, perform the following actions:
Case B: To disable public access to certain containers within your Microsoft Azure storage account, perform the following operations:
References
- Azure Official Documentation
- Configure anonymous public read access for containers and blobs
- Remediate anonymous public read access to blob data (Azure Resource Manager deployments)
- Azure Command Line Interface (CLI) Documentation
- az
- az storage account list
- az storage container list
- az storage container show
- az storage container set-permission
- az storage account show
- az storage account update