Azure-BlobService-Blob-Container-Private-Access
Severity: High
Description: This control ensures that Public Access Level is set to Private to restrict anonymous access to the containers. Anonymous, public read access to a container and its blobs can be enabled in Azure Blob storage. It grants read-only access to these resources without sharing the account key, and without requiring a shared access signature. It is recommended not to provide anonymous access to blob containers until, and unless, it is strongly desired. A shared access signature token should be used for providing controlled and timed access to blob containers. If no anonymous access is needed on the storage account, it's recommended to set allowBlobPublicAccess false.
Remediation Steps:
Perform following to update App Service configuration:
Login to Azure Portal using https://portal.azure.com.
Go to Storage Accounts.
For each storage account, go to Containers under BLOB SERVICE.
For each container, click Change Access level.
Set Public access level to Private.
For each storage account, go to Configuration under Settings.
Go to Allow Blob public access.
Set Disabled if no anonymous access is needed on the storage account.
Important:
Reference:
CIS reference: Azure Foundations Benchmark v1.3.0 - 02-01-2021 : Recommendation #3.5
Configure anonymous read access for containers and blobs - Azure Storage
Blue Hexagon Proprietary