Control: 5.1.3 Ensure the storage container storing the activity logs is not publicly accessible
Description
The storage account container containing the activity log export should not be publicly accessible.
Allowing public access to activity log content may aid an adversary in identifying weaknesses in the affected account's use or configuration.
Remediation
From Console
- Search for Storage Accounts to access Storage account blade
- Click on the
storage account name
- In Section Blob Service click Containers in side bar under
Data storage
. It will list all the containers in next blade - Look for a record with container named as
insight-operational-logs
used for the logging activities. - Click Access Policy from Context Menu and set Public Access Level to Private (no anonymous access)
From Command Line
az storage container set-permission --name insights-operational-logs --account-name <Storage Account Name> --public-access off
Note: By default, public access is set to null (allowing only private access) for a container with activity log export.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v130_5_1_3
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v130_5_1_3 --share
SQL
This control uses a named query:
select sc.id as resource, case when public_access != 'None' then 'alarm' else 'ok' end as status, case when public_access != 'None' then account_name || ' container insights-operational-logs storing activity logs publicly accessible.' else account_name || ' container insights-operational-logs storing activity logs not publicly accessible.' end as reason , sc.resource_group as resource_group , sub.display_name as subscriptionfrom azure_storage_container sc, azure_subscription subwhere name = 'insights-operational-logs' and sub.subscription_id = sc.subscription_id;