54 lines
1.9 KiB
YAML
54 lines
1.9 KiB
YAML
id: azure-blob-anonymous-access-disabled
|
|
info:
|
|
name: Azure Blob Anonymous Access Disabled
|
|
author: princechaddha
|
|
severity: medium
|
|
description: |
|
|
Ensure that public (anonymous) access is disabled for all the blob containers available within your Microsoft Azure storage accounts in order to protect your data against unauthorized access. Disabling public access at the storage account level overrides the public access setting configured for the individual blob containers in that storage account.
|
|
impact: |
|
|
If the storage account show command output returns true, the container and blob data can be read by anonymous users, therefore, the public access to the blob containers in the selected Azure storage account is not disabled.
|
|
remediation: |
|
|
Disable public (anonymous) access to all blob containers in Azure storage accounts to protect your data against unauthorized access.
|
|
reference:
|
|
- https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent
|
|
tags: cloud,devops,azure,microsoft,azure-storage,azure-cloud-config
|
|
|
|
flow: |
|
|
code(1);
|
|
for (let StorageAccount of iterate(template.storageAccountIds)) {
|
|
set("ids", StorageAccount);
|
|
code(2);
|
|
}
|
|
|
|
self-contained: true
|
|
code:
|
|
- engine:
|
|
- sh
|
|
- bash
|
|
source: |
|
|
az storage account list --query '[*].id'
|
|
|
|
extractors:
|
|
- type: json
|
|
name: storageAccountIds
|
|
internal: true
|
|
json:
|
|
- '.[]'
|
|
|
|
- engine:
|
|
- sh
|
|
- bash
|
|
source: |
|
|
az storage account show --ids "$ids" --query allowBlobPublicAccess
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
words:
|
|
- 'true'
|
|
|
|
extractors:
|
|
- type: dsl
|
|
dsl:
|
|
- 'ids + " is not disabling anonymous blob access"'
|
|
# digest: 4a0a00473045022063bb36890de437420139f1381ee2481ffdff684ae506da8859bf1ab7993f7627022100c6c9cc2053e0b647964f423a27efbf2f00dd0dc0301f7555931157bf6713c4bc:922c64590222798bb761d5b6d8e72950 |