turbot/azure_compliance

Control: 5.1.3 Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible

Description

The storage account container containing the activity log export should not be publicly accessible.

Allowing public access to activity log content may aid an adversary in identifying weaknesses in the affected account's use or configuration.

Remediation

From Azure Portal

  1. From Azure Home select the Portal Menu.
  2. Search for Storage Accounts to access Storage account blade.
  3. Click on the storage account name.
  4. Click on Configuration under settings.
  5. Select Enabled under "Allow Blob public access".

From Azure CLI

az storage container set-permission --name insights-activity-logs --account- name <Storage Account Name> --sas-token <SAS token> --public-access off

From PowerShell

Create a new storage account context for the storage account holding the insight- activity-logs container making sure to use a valid Shared Access Signature (SAS) token.

$context = New-AzStorageContext -StorageAccountName <storage account name> - SasToken "<SAS token>"

Change the insights-activity-logs container public access to off

Set-AzStorageContainerAcl -Context $context -Name "insights-activity-logs" - Permission Off -PassThru

Default Value

By default, public access is set to null (allowing only private access) for a container with activity log export.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v200_5_1_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v200_5_1_3 --share

SQL

This control uses a named query:

monitor_logs_storage_container_insights_activity_logs_not_public_accessible

Tags