Skip to main content

🛡️ Azure Storage Account Allow Blob Anonymous Access is enabled🟢

Stats

not available

Logic

Similar Policies

Similar Internal Rules

RulePoliciesFlags
✉️ dec-x-083928f51

Description

Open File

Description

The Azure Storage setting ‘Allow Blob Anonymous Access’ (aka "allowBlobPublicAccess") controls whether anonymous access is allowed for blob data in a storage account. When this property is set to True, it enables public read access to blob data, which can be convenient for sharing data but may carry security risks. When set to False, it disallows public access to blob data, providing a more secure storage environment.

Rationale

If "Allow Blob Anonymous Access" is enabled, blobs can be accessed by adding the blob name to the URL to view the contents. An attacker can enumerate blobs using methods such as brute force and access them.

Exfiltration of data by brute force enumeration of items from a storage account may occur if this setting is set to Enabled.

Impact

Additional consideration may be required for exceptional circumstances where elements of a storage account require public accessibility. In these circumstances, it is highly recommended that all data stored in the public facing storage account be reviewed for sensitive or potentially compromising data, and that sensitive or compromising data is never stored in these storage accounts.

... see more

Remediation

Open File

Remediation

From Azure Portal

  1. Go to Storage Accounts.
  2. For each storage account, under Settings, click Configuration.
  3. Set Allow Blob Anonymous Access to Disabled.
  4. Click Save.

From PowerShell

For every storage account in scope, run the following:

$storageAccount = Get-AzStorageAccount `
    -ResourceGroupName "{{resource-group-name}}" `
    -Name "{{storage-account-name}}"
$storageAccount.AllowBlobPublicAccess = $false
Set-AzStorageAccount -InputObject $storageAccount

policy.yaml

Open File

Linked Framework Sections

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 APRA CPG 234 → 💼 36d access management controls —only authorised users, software and hardware are able to access information assets (refer to Attachment B for further guidance);1717no data
💼 APRA CPG 234 → 💼 36e hardware and software asset controls —appropriate authorisation to prevent security compromises from unauthorised hardware and software assets;1919no data
💼 APRA CPG 234 → 💼 36f network design — to ensure authorised network traffic flows and to reduce the impact of security compromises;3435no data
💼 APRA CPG 234 → 💼 45 An understanding of plausible worst case scenarios can help regulated entities identify and implement additional controls to prevent or reduce the impact of such scenarios. One example is malware that infects computers and encrypts data, both on the infected computer and any connected storage, including (corporate) networks and cloud storage. Such attacks reinforce the importance of protecting the backup environment in the event that the production environment is compromised. Common techniques to achieve this include network segmentation, highly restricted and segregated access controls and network traffic flow restrictions.4042no data
💼 APRA CPG 234 → 💼 52d appropriate segmentation of data, based on sensitivity and access needs;1111no data
💼 APRA CPG 234 → 💼 53 Wholesale access to sensitive data (e.g. contents of customer databases or intellectual property that can be exploited for personal gain) would be highly restricted to reduce the risk exposure to significant data leakage events. Industry experience of actual data leakage incidents include the unauthorised extraction of debit/credit card details, theft of personally identifiable information, loss of unencrypted backup media and the sale/trade or exploitation of customer identity data.1111no data
💼 CIS Azure v1.1.0 → 💼 3.6 Ensure that 'Public access level' is set to Private for blob containers11no data
💼 CIS Azure v2.1.0 → 💼 3.17 Ensure that 'Allow Blob Anonymous Access' is set to 'Disabled' - Level 1 (Automated)11no data
💼 CIS Azure v3.0.0 → 💼 4.17 Ensure that 'Allow Blob Anonymous Access' is set to 'Disabled' (Automated)1no data
💼 CIS Azure v4.0.0 → 💼 10.3.9 Ensure that 'Allow Blob Anonymous Access' is set to 'Disabled' (Automated)1no data
💼 CIS Azure v5.0.0 → 💼 9.3.8 Ensure that 'Allow Blob Anonymous Access' is set to 'Disabled' (Automated)1no data
💼 CIS Azure v6.0.0 → 💼 9.3.8 Ensure that 'Allow Blob Anonymous Access' is Set to 'Disabled' (Automated)1no data
💼 Cloudaware Framework → 💼 Public Data Access13no data
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)3790no data
💼 FedRAMP High Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)1168no data
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)90no data
💼 FedRAMP Moderate Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)90no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)68no data
💼 ISO/IEC 27001:2013 → 💼 A.9.4.1 Information access restriction2425no data
💼 NIST CSF v1.1 → 💼 PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties2362no data
💼 NIST CSF v1.1 → 💼 PR.DS-5: Protections against data leaks are implemented5498no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties144no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected196no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected167no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected197no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows4268no data
💼 PCI DSS v3.2.1 → 💼 1.1 Establish and implement firewall and router configuration standards7145no data
💼 PCI DSS v3.2.1 → 💼 1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment.7844no data
💼 PCI DSS v3.2.1 → 💼 1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.630no data
💼 PCI DSS v3.2.1 → 💼 1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ.30no data
💼 PCI DSS v3.2.1 → 💼 1.3.5 Permit only “established” connections into the network.30no data
💼 PCI DSS v4.0.1 → 💼 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.40no data
💼 PCI DSS v4.0.1 → 💼 1.4.1 NSCs are implemented between trusted and untrusted networks.21no data
💼 PCI DSS v4.0.1 → 💼 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted.30no data
💼 PCI DSS v4.0 → 💼 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.3040no data
💼 PCI DSS v4.0 → 💼 1.4.1 NSCs are implemented between trusted and untrusted networks.921no data
💼 PCI DSS v4.0 → 💼 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted.930no data
💼 SOC 2 → 💼 CC6.1-7 Restricts Access to Information Assets1327no data
💼 UK Cyber Essentials → 💼 1.2 Prevent access to the administrative interface from the internet4244no data