v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/azure_compliance
Overview
13Dashboards
1311Controls
430Queries
2Variables
GitHub

Control: 3.5 Ensure that 'Public access level' is set to Private for blob containers

Description

Disable anonymous access to blob containers and disallow blob public access on storage account.

Anonymous, public read access to a container and its blobs can be enabled in Azure Blob storage. It grants read-only access to these resources without sharing the account key, and without requiring a shared access signature. It is recommended not to provide anonymous access to blob containers until, and unless, it is strongly desired. A shared access signature token should be used for providing controlled and timed access to blob containers. If no anonymous access is needed on the storage account, it’s recommended to set allowBlobPublicAccess false.

Remediation

From Console

First, follow Microsoft documentation and create shared access signature tokens for your blob containers. Then,

  1. Login to Azure Storage Accounts
  2. For each storage account, go to Containers under DATA STORAGE
  3. Select the container, click Access policy
  4. Set Change access level in top bar, to Private (no anonymous access)
  5. For each storage account overview page, under Blob Service check the value set
  6. Click on selected storage account Configuration under settings section of left bar
  7. Set Disabled if no anonymous access is needed on the storage account
  8. Click Save

From Command Line

  1. Identify the container name from the audit command

  2. Set the permission for public access to private(off) for the above container name, using the below command

az storage container set-permission --name <containerName> --public-access off --account-name <accountName> --account-key <accountKey>
  1. Set Disabled if no anonymous access is wanted on the storage account
az storage account update --name <storage-account> --resource-group <resource-group> --allow-blob-public-access false

Note: By default, Public access level is set to Private (no anonymous access) for blob containers. By default, AllowBlobPublicAccess is set to Null (allow in effect) for storage account.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v140_3_5

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v140_3_5 --share

SQL

This control uses a named query:

storage_account_blob_containers_public_access_private

Tags

category = Compliance
cis = true
cis_item_id = 3.5
cis_level = 1
cis_section_id = 3
cis_type = automated
cis_version = v1.4.0
plugin = azure
service = Azure/Storage