Control: 4.17 Ensure that `Allow Blob Anonymous Access` is set to `Disabled`
Description
The Azure Storage setting ‘Allow Blob Anonymous Access’ (aka "allowBlobPublicAccess") controls whether anonymous access is allowed for blob data in a storage account. When this property is set to True, it enables public read access to blob data, which can be convenient for sharing data but may carry security risks. When set to False, it disallows public access to blob data, providing a more secure storage environment.
If "Allow Blob Anonymous Access" is enabled, blobs can be accessed by adding the blob name to the URL to see the contents. An attacker can enumerate a blob using methods, such as brute force, and access them.
Exfiltration of data by brute force enumeration of items from a storage account may occur if this setting is set to 'Enabled'.
Remediation
From Azure Portal
- Go to
Storage Accounts. - For each storage account, under
Settings, clickConfiguration. - Set
Allow Blob Anonymous AccesstoDisabled. - Click
Save.
From Powershell
For every storage account in scope, run the following:
$storageAccount = Get-AzStorageAccount -ResourceGroupName "<yourResourceGroup>" -Name "<yourStorageAccountName>"$storageAccount.AllowBlobPublicAccess = $falseSet-AzStorageAccount -InputObject $storageAccount
Default Value
Disabled
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v300_4_17Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v300_4_17 --shareSQL
This control uses a named query:
select container.id as resource, case when not account.allow_blob_public_access and container.public_access = 'None' then 'ok' else 'alarm' end as status, case when not account.allow_blob_public_access and container.public_access = 'None' then account.name || ' container ' || container.name || ' doesn''t allow anonymous access.' else account.name || ' container ' || container.name || ' allows anonymous access.' end as reason , container.resource_group as resource_group , sub.display_name as subscriptionfrom azure_storage_container container join azure_storage_account account on container.account_name = account.name join azure_subscription sub on sub.subscription_id = account.subscription_id;