Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
16Dashboards
1651Benchmarks
486Queries
8Variables
GitHub

Control: Ensure that 'Public access level' is set to Private for blob containers

Description

Disable anonymous access to blob containers and disallow blob public access on storage account.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.storage_account_blob_containers_public_access_disabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.storage_account_blob_containers_public_access_disabled --share

SQL

This control uses a named query:

select
  container.id as resource,
  case
    when not account.allow_blob_public_access and container.public_access = 'None' then 'ok'
    else 'alarm'
  end as status,
  case
    when not account.allow_blob_public_access and container.public_access = 'None'
      then account.name || ' container ' || container.name || ' doesn''t allow anonymous access.'
    else account.name || ' container ' || container.name || ' allows anonymous access.'
  end as reason
  
  , container.resource_group as resource_group
  , sub.display_name as subscription
from
  azure_storage_container container
  left join azure_storage_account account on container.account_name = account.name
  left join azure_subscription sub on sub.subscription_id = account.subscription_id;

Tags

service = Azure/Storage