lacework-global-556
5.1.3 Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible (Manual)
note
This rule has been changed to manual, see Permanently Manual Rules for CIS Azure 1.5.0 for details.
Profile Applicability
• Level 1
Description
The storage account container containing the activity log export should not be publicly accessible.
Rationale
Allowing public access to activity log content may aid an adversary in identifying weaknesses in the affected account's use or configuration.
Impact
Configuring container Access policy
to private
will remove access from the container for everyone except owners of the storage account. Access policy needs to be set explicitly in order to allow access to other desired users.
Audit
From Azure Portal
- From Azure Home select the Portal Menu
- Select
Diagnostic Settings
in the left column. - In section
Storage Account
, note the name of the Storage account - Close
Diagnostic settings
. Close theMonitor - Activity Log
blade. - In right column, Click service
Storage Accounts
to access Storage account blade - Click on the storage account name noted in step 4. This will open blade specific to that storage account
- In Section
Blob Service
clickContainers
. It will list all the containers in next blade - Look for a record with container named as
insight-operational-logs
. Click...
from right most column to openContext menu
- Click
Access Policy
fromContext Menu
and ensurePublic Access Level
is set toPrivate (no anonymous access)
From Azure CLI
- Get storage account id configured with log profile:
az monitor log-profiles list --query [*].storageAccountId
- Ensure the container storing activity logs (insights-operational-logs) is not publicly accessible:
az storage container list --account-name <Storage Account Name> --query "[?name=='insights-operational-logs']"
In command output ensure publicAccess
is set to null
Remediation
From Azure Portal
- From Azure Home select the Portal Menu
- Search for
Storage Accounts
to access Storage account blade - Click on the storage account name
- In Section
Blob Service
clickContainers
. It will list all the containers in next blade - Look for a record with container named as
insight-operational-logs
. Click...
from right most column to openContext menu
- Click
Access Policy
fromContext Menu
and setPublic Access Level
toPrivate (no anonymous access)
From Azure CLI
az storage container set-permission --name insights-operational-logs --account-name <Storage Account Name> --public-access off
References
https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-2-secure-cloud-services-with-network-controls