Control: 5.1.3 Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible
Description
The storage account container containing the activity log export should not be publicly accessible.
Allowing public access to activity log content may aid an adversary in identifying weaknesses in the affected account's use or configuration.
Remediation
From Azure Portal
- From Azure Home select the Portal Menu.
- Search for
Storage Accountsto access Storage account blade. - Click on the storage account name.
- Click on
Configurationunder settings. - Select
Enabledunder "Allow Blob public access".
From Azure CLI
az storage container set-permission --name insights-activity-logs --account- name <Storage Account Name> --sas-token <SAS token> --public-access off
From PowerShell
Create a new storage account context for the storage account holding the insight- activity-logs container making sure to use a valid Shared Access Signature (SAS) token.
$context = New-AzStorageContext -StorageAccountName <storage account name> - SasToken "<SAS token>"
Change the insights-activity-logs container public access to off
Set-AzStorageContainerAcl -Context $context -Name "insights-activity-logs" - Permission Off -PassThru
Default Value
By default, public access is set to null (allowing only private access) for a container with activity log export.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v200_5_1_3Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v200_5_1_3 --shareSQL
This control uses a named query:
monitor_logs_storage_container_insights_activity_logs_not_public_accessible