Storage Account Allows Public Network Access

Overview

The default configuration for a storage account permits a user with appropriate permissions to configure public (anonymous) access to containers and blobs in a storage account. Keep in mind that public access to a container is always turned off by default and must be explicitly configured to permit anonymous requests. It grants readonly access to these resources without sharing the account key, and without requiring a shared access signature. It is recommended not to provide anonymous access to blob containers until, and unless, it is strongly desired. A shared access signature token or Azure AD RBAC should be used for providing controlled and timed access to blob containers. If no anonymous access is needed on any container in the storage account, it's recommended to set allowBlobPublicAccess false at the account level, which forbids any container to accept anonymous access in the future.

By default, Public Network Access is set to Enabled from all networks for the Storage Account.

Vendor

Azure

Cloud Service

Storage

CIS Azure v2.0.0 3.7

References

https://docs.microsoft.com/en-us/azure/storage/blobs/storage-manage-access-toresources, https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-accessprevent, https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-2-define-and-implement-enterprisesegmentationseparation-of-duties-strategy, https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-2-secure-cloud-services-with-network-controls, https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-accessconfigure, https://docs.microsoft.com/en-us/azure/storage/blobs/assign-azure-role-dataaccess

Severity

Item Types

Microsoft.Storage.storageAccounts

Overview​

Vendor​

Cloud Service​

Related Controls​

References​

Severity​

Item Types​