Azure Storage Publicly Accessible Web Containers
ID: azure-storage-public-access
Severity: high
Author: princechaddha
Tags: cloud,devops,azure,microsoft,storage,azure-cloud-config
Description
Section titled “Description”Ensure that the Microsoft Azure storage container where the exported activity log files are saved is not publicly accessible from the Internet, in order to avoid exposing sensitive data and minimize security risks.
YAML Source
Section titled “YAML Source”id: azure-storage-public-accessinfo: name: Azure Storage Publicly Accessible Web Containers author: princechaddha severity: high description: | Ensure that the Microsoft Azure storage container where the exported activity log files are saved is not publicly accessible from the Internet, in order to avoid exposing sensitive data and minimize security risks. impact: | If the storage container is publicly accessible, sensitive data contained within the activity log files can be accessed by anyone, thus increasing the risk of data breaches and unauthorized access. remediation: | Ensure that the Azure storage containers storing activity log files are configured to deny public access. Review and modify the public access settings of your storage accounts to protect sensitive data. reference: - https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview tags: cloud,devops,azure,microsoft,storage,azure-cloud-config
flow: | code(1); for (let subName of iterate(template.subscriptionNames)) { set("subName", subName); code(2); for (let containerDetails of iterate(template.containerDetails)) { set("containerDetails", containerDetails); code(3); } }
self-contained: truecode: - engine: - sh - bash source: | az monitor diagnostic-settings subscription list --query 'value[*].name'
extractors: - type: json name: subscriptionNames internal: true json: - '.[]'
- engine: - sh - bash source: | az monitor diagnostic-settings subscription show --name "$subName" --query 'storageAccountId'
extractors: - type: json name: containerDetails internal: true json: - '.'
- engine: - sh - bash source: | az storage container show --account-name $containerDetails --name insights-operational-logs --query 'properties.publicAccess'
matchers: - type: word words: - 'container'
extractors: - type: dsl dsl: - 'subName + " storage container insights-operational-logs is publicly accessible"'# digest: 4a0a00473045022100b3f568a23f1ad0b86badce71051ebc1098405921346e0d7972df8ad1d8b31395022062b246e7e0341958e4bd97250a7aef17d07ff7021792783ef95c1ef5f458cff3:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "cloud/azure/storageaccounts/azure-storage-public-access.yaml"