Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Disable Anonymous Access to Blob Containers

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: StorageAccounts-006

Ensure that the "Public access level" configuration setting is set to "Private (no anonymous access)" for all blob containers in your storage account in order to block anonymous access to these Microsoft Azure resources.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

A user that accesses blob containers anonymously can use constructors that do not require credentials such as shared access signatures. Cloud Conformity strongly recommends disabling anonymous access to all blob containers provisioned within your storage account, unless it is really required. Also, to adhere to Azure cloud security best practices, a shared access signature token should be used for providing controlled and timed access to your blob containers.

Audit

To determine if anonymous access to Azure Storage blob containers is disabled, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts.

03 Click on the name (link) of the Azure Storage account that you want to examine.

04 In the navigation panel, under Blob service, click Blobs to access the blob containers provisioned in your storage account.

05 On the Blobs page, choose the container that you want to examine and check the configuration value available in the PUBLIC ACCESS LEVEL column. If the configuration value is set to Container, all container and blob data can be read by anonymous request, therefore the anonymous access to the selected Azure Storage blob container is not disabled.

06 Repeat step no. 5 for each blob container provisioned in the selected storage account.

07 Repeat steps no. 3 – 6 for each storage account available within the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI and PowerShell

01 Run storage account list command (Windows/macOS/Linux) using custom query filters to describe the identifier for each storage account available in the current Azure subscription: 

az storage account list 
	--query '[*].name'

02 The command output should return the requested storage account names: 

[
  "abcdabcdabcd123412341234",  
  "abcd1234abcd1234abcd1234"
]

03 Run storage container list command (Windows/macOS/Linux) using the name of the storage account that you want to examine as identifier parameter and custom query filters to list the containers available in the selected storage account: 

az storage container list
	--account-name abcdabcdabcd123412341234
	--query '[*].name'

04 The command output should return the name of the blob containers within the specified storage account: 

[
  "cc-project5-container",
  "cc-staging-container"
]

05 Run storage container show command (Windows/macOS/Linux) using the name of the blob container that you want to examine as identifier parameter to expose the public access level set for the selected container: 

az storage container show
	--name cc-blob-container
	--account-name abcdabcdabcd123412341234
	--query 'properties.publicAccess'

06 The command output should return the name of the configured public access level. There are three levels of public access: Private (no anonymous access), Blob (anonymous read access for blobs only) and Container (anonymous read access for containers and blobs): 

"container"

If the storage container show command output returns "container", as shown in the example above, the data available on the selected blob container can be read by anonymous request, therefore the anonymous access to the selected Azure Storage blob container is not disabled.

07 Repeat step no. 5 and 6 for each container provisioned in the selected storage account.

08 Repeat steps no. 3 – 7 for each storage account available within the selected subscription.

09 Repeat steps no. 1 – 8 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To disable anonymous access to blob containers within your Microsoft Azure Storage accounts, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts.

03 Click on the name (link) of the Azure Storage account that you want to access.

04 In the navigation panel, under Blob service, click Blobs to access the blob containers provisioned in your storage account.

05 On the Blobs page, select the container that you want to reconfigure (see Audit section part I to identify the right resource), then click Change access level button from the blade top menu.

06 On the Change access level configuration panel, select Private (no anonymous access) option from the Public access level dropdown list to disable anonymous access for the selected blob container. Click Ok to confirm the change.

07 Repeat step no. 5 and 6 for all publicly accessible containers available in the selected storage account.

08 Repeat steps no. 3 – 7 for each storage account available within the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI and PowerShell

01 Run storage container set-permission command (Windows/macOS/Linux) using the name of the blob container that you want to reconfigure as identifier parameter (see Audit section part II to identify the right resource) to disable anonymous access to the selected blob container by setting the "Public access level" configuration option to "Private (no anonymous access)": 

az storage container set-permission
	--name cc-project5-container
	--account-name abcdabcdabcd123412341234
	--public-access off

02 Repeat step no. 1 for all publicly accessible containers available in the selected storage account.

03 Repeat step no. 1 and 2 for each storage account available in the current Azure subscription.

04 Repeat step no. 1 – 3 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Jun 12, 2019

Related StorageAccounts rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Disable Anonymous Access to Blob Containers

Risk Level: Medium