More Info:
Anonymous, public read access to a container and its blobs can be enabled in Azure Blob storage. It grants read-only access to these resources without sharing the account key, and without requiring a shared access signature. It is recommended not to provide anonymous access to blob containers until, and unless, it is strongly desired. A shared access signature token should be used for providing controlled and timed access to blob containers.Risk Level
MediumAddress
SecurityCompliance Standards
SOC2, ISO27001, GDPR, CISAZURE, CBP, NISTCSFTriage and Remediation
Remediation
Using Console
Using Console
Sure, here are the step-by-step instructions to remediate the issue of Blob Containers Allowing Public Access in Azure:
- Login to your Azure portal (https://portal.azure.com/).
- Navigate to the storage account that contains the Blob Container that has public access enabled.
- Click on the Blob Container that has public access enabled.
- Click on the “Access Policy” option from the left-hand menu.
- From the “Public access level” dropdown, select the option “Private (no anonymous access)”.
- Click on the “Save” button to save the changes.
- Repeat the above steps for all Blob Containers that have public access enabled.
Using CLI
Using CLI
The following are the step-by-step instructions to remediate the misconfiguration of Blob Containers Allowing Public Access in AZURE using AZURE CLI:
- Open the AZURE CLI in your terminal or command prompt.
-
Login to your AZURE account using the following command:
-
Once you are logged in, you need to identify the storage account that has the Blob Containers Allowing Public Access. You can list all the storage accounts in your subscription using the following command:
- From the list of storage accounts, identify the one that has the Blob Containers Allowing Public Access and make a note of its name.
-
Next, you need to list all the containers within the storage account using the following command:
Replace
<storage-account-name>
with the name of the storage account that you identified in step 4. - From the list of containers, identify the one that has public access and make a note of its name.
-
To revoke public access to the container, you need to set the access level of the container to private using the following command:
Replace
<storage-account-name>
with the name of the storage account that you identified in step 4 and<container-name>
with the name of the container that you identified in step 6. - Once you have executed the above command, public access to the container will be revoked and only authorized users will be able to access it.
- Verify that the public access has been revoked by listing the container again using the command in step 5. The output should show that the access level of the container is private.
Using Python
Using Python
To remediate the issue of Blob Containers Allowing Public Access in Azure using Python, you can use the Azure Storage SDK for Python. Here are the steps to follow:
-
Install the Azure Storage SDK for Python using the following command:
-
Use the following code to get a list of all the containers in your storage account:
-
Once you have a list of all the containers, you can iterate over them and set the public access level to
None
using the following code: -
Finally, you can check if the public access has been removed by using the following code: