id: azure-blob-anonymous-access-disabled
info:
  name: Azure Blob Anonymous Access Disabled
  author: princechaddha
  severity: medium
  description: |
    Ensure that public (anonymous) access is disabled for all the blob containers available within your Microsoft Azure storage accounts in order to protect your data against unauthorized access. Disabling public access at the storage account level overrides the public access setting configured for the individual blob containers in that storage account.
  impact: |
    If the storage account show command output returns true, the container and blob data can be read by anonymous users, therefore, the public access to the blob containers in the selected Azure storage account is not disabled.
  remediation: |
    Disable public (anonymous) access to all blob containers in Azure storage accounts to protect your data against unauthorized access.
  reference:
    - https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent
  tags: cloud,devops,azure,microsoft,azure-storage,azure-cloud-config

flow: |
  code(1);
  for (let StorageAccount of iterate(template.storageAccountIds)) {
    set("ids", StorageAccount);
    code(2);
  }

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      az storage account list --query '[*].id'

    extractors:
      - type: json
        name: storageAccountIds
        internal: true
        json:
          - '.[]'

  - engine:
      - sh
      - bash
    source: |
      az storage account show --ids "$ids" --query allowBlobPublicAccess

    matchers-condition: and
    matchers:
      - type: word
        words:
          - 'true'

    extractors:
      - type: dsl
        dsl:
          - 'ids + " is not disabling anonymous blob access"'
# digest: 4a0a00473045022063bb36890de437420139f1381ee2481ffdff684ae506da8859bf1ab7993f7627022100c6c9cc2053e0b647964f423a27efbf2f00dd0dc0301f7555931157bf6713c4bc:922c64590222798bb761d5b6d8e72950