Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Disable public access to storage accounts with blob containers

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: StorageAccounts-022

Ensure that public (anonymous) access is disabled for all the blob containers available within your Microsoft Azure storage accounts in order to protect your data against unauthorized access. Disabling public access at the storage account level overrides the public access setting configured for the individual blob containers in that storage account.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

A user that is able to access blob containers anonymously can use constructors that don't require credentials such as shared access signatures. Trend Cloud One™ – Conformity strongly recommends disabling anonymous access to all the blob containers provisioned within your Azure storage accounts, unless it is really required. To follow security best practices and keep your data safe and secure in Azure cloud, ensure that your blob containers are not publicly exposed.


Audit

To determine if your storage blob containers are publicly accessible, perform the following actions:

Using Azure Portal

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to view all your Microsoft Azure cloud resources.

03 From the Subscription equals filter box, select the Azure account subscription that you want to examine.

04 From the Type equals filter box, select Storage account and choose Apply to list only the storage accounts provisioned in your Azure account.

05 Click on the name (link) of the storage account that you want to examine.

06 In the resource navigation panel, under Settings, choose Configuration to access the configuration settings available for the selected storage account.

07 Check the configuration value set for the Allow Blob public access setting. If Allow Blob public access is set to Enabled, all container and blob data can be read by anonymous users, therefore the public access to the blob containers within the selected Azure storage account is not disabled.

08 Repeat steps no. 5 – 7 for each storage account available within the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run storage account list command (Windows/macOS/Linux) with custom query filters to describe the identifier (ID) of each storage account provisioned in the current subscription:

az storage account list
  --query '[*].id'

02 The command output should return the requested storage account IDs:

[
  "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Storage/storageAccounts/abcdabcdabcd123412341234",
  "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Storage/storageAccounts/abcd1234abcd1234abcd1234"
]

03 Run storage account show command (Windows/macOS/Linux) using the ID of the Azure storage account that you want to examine as the identifier parameter to describe the public access status available for the blob containers within the selected storage account:

az storage account show
  --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Storage/storageAccounts/abcdabcdabcd123412341234"
  --query allowBlobPublicAccess

04 The command output should return the requested configuration status (true for enabled, false for disabled)

true

If the storage account show command output returns true, as shown in the example above, the container and blob data can be read by anonymous users, therefore the public access to the blob containers in the selected Azure storage account is not disabled.

05 Repeat steps no. 3 and 4 for each storage account available within the selected subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

Case A: To disable public (anonymous) access to all the blob containers within your Microsoft Azure storage accounts, perform the following actions:

Using Azure Portal

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to view all your Microsoft Azure cloud resources.

03 From the Subscription equals filter box, select the Azure account subscription that you want to examine.

04 From the Type equals filter box, select Storage account and choose Apply to list only the storage accounts provisioned in your Azure account.

05 Click on the name of the storage account that you want to reconfigure.

06 In the navigation panel, under Settings, choose Configuration to access the configuration settings available for the selected resource.

07 Select Disabled under Allow Blob public access to disable public access to blob containers at the storage account level. Choose Save to apply the changes.

08 Repeat steps no. 5 – 7 for each storage account available within the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run az storage account update command (Windows/macOS/Linux) using the ID of the Azure storage account that you want to reconfigure as the identifier parameter, to disable public access to all blobs or containers in the selected storage account:

az storage account update
  --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Storage/storageAccounts/abcdabcdabcd123412341234"
  --allow-blob-public-access false

02 Repeat step no. 1 for each storage account available in the current Azure subscription.

03 Repeat steps no. 1 and 2 for each subscription created in your Microsoft Azure cloud account.

Case B: To disable public access to certain containers within your Microsoft Azure storage account, perform the following operations:

Using Azure Portal

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to view all your Microsoft Azure cloud resources.

03 From the Subscription equals filter box, select the Azure account subscription that you want to examine.

04 From the Type equals filter box, select Storage account and choose Apply to list only the storage accounts provisioned in your Azure account.

05 Click on the name of the storage account that you want to access.

06 In the navigation panel, under Data storage, choose Containers to access the blob containers provisioned in your storage account.

07 Select the container that you want to reconfigure and choose Change access level.

08 On the Change access level configuration panel, select Private (no anonymous access) option from the Public access level dropdown list to disable anonymous access for the selected blob container. Choose Ok to confirm the change.

09 Repeat steps no. 7 and 8 for all publicly accessible containers available in the selected storage account.

10 Repeat steps no. 5 – 9 for each storage account available within the selected subscription.

11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run storage container set-permission command (Windows/macOS/Linux) using the name of the blob container that you want to reconfigure as the identifier parameter to disable public access to the selected blob container by setting the "Public access level" configuration option to "Private (no anonymous access)":

az storage container set-permission
  --name cc-project5-container
  --account-name abcdabcdabcd123412341234
  --public-access off

02 Repeat step no. 1 for all publicly accessible containers available in the selected storage account.

03 Repeat step no. 1 and 2 for each storage account available in the current Azure subscription.

04 Repeat step no. 1 – 3 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Oct 18, 2022