Steampipe mods are now Powerpipe →
Powerpipe Hub 
Hub
Mods
turbot/azure_compliance
Overview
9Dashboards
1129Controls
407Queries
2Variables
GitHub
Loading controls...

Control: 5.1.3 Ensure the storage container storing the activity logs is not publicly accessible

Description

The storage account container containing the activity log export should not be publicly accessible.

Allowing public access to activity log content may aid an adversary in identifying weaknesses in the affected account's use or configuration.

Remediation

From Console

  1. Search for Storage Accounts to access Storage account blade
  2. Click on the storage account name
  3. In Section Blob Service click Containers in side bar under Data storage. It will list all the containers in next blade
  4. Look for a record with container named as insight-operational-logs used for the logging activities.
  5. Click Access Policy from Context Menu and set Public Access Level to Private (no anonymous access)

From Command Line

az storage container set-permission --name insights-operational-logs --account-name <Storage Account Name> --public-access off

Note: By default, public access is set to null (allowing only private access) for a container with activity log export.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v130_5_1_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v130_5_1_3 --share

SQL

This control uses a named query:

monitor_logs_storage_container_insights_operational_logs_not_public_accessible

Tags

category = Compliance
cis = true
cis_item_id = 5.1.3
cis_level = 1
cis_section_id = 5.1
cis_type = automated
cis_version = v1.3.0
plugin = azure
service = Azure/Monitor