More Info:

Anonymous, public read access to a container and its blobs can be enabled in Azure Blob storage. It grants read-only access to these resources without sharing the account key, and without requiring a shared access signature. It is recommended not to provide anonymous access to blob containers until, and unless, it is strongly desired. A shared access signature token should be used for providing controlled and timed access to blob containers.

Risk Level

Medium

Address

Security

Compliance Standards

SOC2, ISO27001, GDPR, CISAZURE, CBP, NISTCSF

Triage and Remediation

Remediation

Using Console

Sure, here are the step-by-step instructions to remediate the issue of Blob Containers Allowing Public Access in Azure:
  1. Login to your Azure portal (https://portal.azure.com/).
  2. Navigate to the storage account that contains the Blob Container that has public access enabled.
  3. Click on the Blob Container that has public access enabled.
  4. Click on the “Access Policy” option from the left-hand menu.
  5. From the “Public access level” dropdown, select the option “Private (no anonymous access)”.
  6. Click on the “Save” button to save the changes.
  7. Repeat the above steps for all Blob Containers that have public access enabled.
By following the above steps, you have successfully remediated the issue of Blob Containers Allowing Public Access in Azure.

The following are the step-by-step instructions to remediate the misconfiguration of Blob Containers Allowing Public Access in AZURE using AZURE CLI:
  1. Open the AZURE CLI in your terminal or command prompt.
  2. Login to your AZURE account using the following command: 
    az login
  3. Once you are logged in, you need to identify the storage account that has the Blob Containers Allowing Public Access. You can list all the storage accounts in your subscription using the following command: 
    az storage account list
  4. From the list of storage accounts, identify the one that has the Blob Containers Allowing Public Access and make a note of its name.
  5. Next, you need to list all the containers within the storage account using the following command: 
    az storage container list --account-name <storage-account-name> --query "[].name"
    Replace <storage-account-name> with the name of the storage account that you identified in step 4.
  6. From the list of containers, identify the one that has public access and make a note of its name.
  7. To revoke public access to the container, you need to set the access level of the container to private using the following command: 
    az storage container set-permission --account-name <storage-account-name> --name <container-name> --public-access off
    Replace <storage-account-name> with the name of the storage account that you identified in step 4 and <container-name> with the name of the container that you identified in step 6.
  8. Once you have executed the above command, public access to the container will be revoked and only authorized users will be able to access it.
  9. Verify that the public access has been revoked by listing the container again using the command in step 5. The output should show that the access level of the container is private.
By following these steps, you can remediate the misconfiguration of Blob Containers Allowing Public Access in AZURE using AZURE CLI.
To remediate the issue of Blob Containers Allowing Public Access in Azure using Python, you can use the Azure Storage SDK for Python. Here are the steps to follow:
  1. Install the Azure Storage SDK for Python using the following command: 
    pip install azure-storage-blob
  2. Use the following code to get a list of all the containers in your storage account: 
    from azure.storage.blob import BlobServiceClient

connection_string = "<your_connection_string>"
blob_service_client = BlobServiceClient.from_connection_string(connection_string)

container_names = []
containers = blob_service_client.list_containers()
for container in containers:
    container_names.append(container.name)
  3. Once you have a list of all the containers, you can iterate over them and set the public access level to None using the following code: 
    from azure.storage.blob import PublicAccess

for container_name in container_names:
    container_client = blob_service_client.get_container_client(container_name)
    container_client.set_container_access_policy(PublicAccess.None, public_access_duration=None)
  4. Finally, you can check if the public access has been removed by using the following code: 
    for container_name in container_names:
    container_client = blob_service_client.get_container_client(container_name)
    container_properties = container_client.get_container_properties()
    public_access = container_properties.public_access
    if public_access != PublicAccess.None:
        print(f"Public access is still allowed for container {container_name}")
By following these steps, you can remediate the issue of Blob Containers Allowing Public Access in Azure using Python.

Additional Reading: