fix: Azure query "Ensure that Public access level is set to Privat…#14195
Conversation
6f62cb0 to
9d0f6c5
Compare
9fc1813 to
4c18e90
Compare
…or blob containers" is giving false positive results
4c18e90 to
572605f
Compare
There was a problem hiding this comment.
Hey @ankitsaini2609, thanks for submitting a PR! Agreed on the potential false positives for this query, nice catch.
Approving this for now since this will remove the false positives where Containers are set to None and Storage Accounts Blob Public Access is allowed.
This query will need to be adjusted/tested for V1 Storage Accounts.
| THEN 'pass' | ||
| ELSE 'fail' | ||
| WHEN (asa.properties->>'allowBlobPublicAccess')::BOOLEAN = true | ||
| AND (azsc.properties->>'publicAccess') <> 'None' |
There was a problem hiding this comment.
I don't find the CIS Azure 1.3's logic clear. However, the intent is clear to Disable anonymous access to blob containers and disallow blob public access on storage account.
Intent wise, we're looking to ensure that any containers that can thus be public fail the control.
There are 2 different scenarios here: a classic storage account and the newer (V2) storage account.
This logic will work for the newer storage account as if allowBlobPublicAccess is disabled on the storage account, containers will have None as their properties. Thus there's no scenario with V2 storage where allowBlobPublicAccess is true and the container publicAccess property is not None.
However, I'm not sure if this covers classic storage accounts since classic storage accounts require the container setting to be configured for each container (https://learn.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent-classic?tabs=portal)
Snippet from Azure: Anonymous access to this container is being blocked because anonymous access is disabled on this storage account..
CIS Azure 1.3 snippet below:
Anonymous, public read access to a container and its blobs can be enabled in Azure Blob storage. It grants read-only access to these resources without sharing the account key, and without requiring a shared access signature. It is recommended not to provide anonymous access to blob containers until, and unless, it is strongly desired. A shared access signature token should be used for providing controlled and timed access to blob containers. If no anonymous access is needed on the storage account, it’s recommended to set allowBlobPublicAccess false.
|
/gen sha=572605f72a4f1edecb28a67655ae8f3379efde94 plugin=azure |
🤖 I have created a release *beep* *boop* --- ## [9.3.8](plugins-source-azure-v9.3.7...plugins-source-azure-v9.3.8) (2023-10-04) ### Bug Fixes * Azure query "Ensure that Public access level is set to Privat… ([#14195](#14195)) ([c4f9ae2](c4f9ae2)) * **deps:** Update github.com/apache/arrow/go/v14 digest to 00efb06 ([#14202](#14202)) ([fc8cc62](fc8cc62)) * **deps:** Update github.com/cloudquery/arrow/go/v14 digest to 7ded38b ([#14246](#14246)) ([005891e](005891e)) * **deps:** Update github.com/petermattis/goid digest to 1876fd5 ([#14234](#14234)) ([3b56924](3b56924)) * **deps:** Update module github.com/cloudquery/plugin-sdk/v4 to v4.12.0 ([#14281](#14281)) ([85835a9](85835a9)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
…loudquery#14195) Fixing the issue in "Ensure that 'public access level' is set to private for blob containers" <!-- 🎉 Thank you for making CloudQuery awesome by submitting a PR 🎉 --> #### Summary <!-- Explain what problem this PR addresses --> <!-- Use the following steps to ensure your PR is ready to be reviewed - [ ] Read the [contribution guidelines](../blob/main/CONTRIBUTING.md) 🧑🎓 - [ ] Run `make lint` to ensure the proposed changes follow the coding style 🚨 (install golangci-lint [here](https://golangci-lint.run/usage/install/#local-installation)) - [ ] Run `make test` to ensure the proposed changes pass the tests 🧪 - [ ] If changing a source plugin run `make gen` to ensure docs are up to date 📝 - [ ] Ensure the status checks below are successful ✅ ---> --------- Co-authored-by: Jason Kao <100613312+jsonpr@users.noreply.github.com> Co-authored-by: cq-bot <cq-bot@users.noreply.github.com>
🤖 I have created a release *beep* *boop* --- ## [9.3.8](cloudquery/cloudquery@plugins-source-azure-v9.3.7...plugins-source-azure-v9.3.8) (2023-10-04) ### Bug Fixes * Azure query "Ensure that Public access level is set to Privat… ([cloudquery#14195](cloudquery#14195)) ([c4f9ae2](cloudquery@c4f9ae2)) * **deps:** Update github.com/apache/arrow/go/v14 digest to 00efb06 ([cloudquery#14202](cloudquery#14202)) ([fc8cc62](cloudquery@fc8cc62)) * **deps:** Update github.com/cloudquery/arrow/go/v14 digest to 7ded38b ([cloudquery#14246](cloudquery#14246)) ([005891e](cloudquery@005891e)) * **deps:** Update github.com/petermattis/goid digest to 1876fd5 ([cloudquery#14234](cloudquery#14234)) ([3b56924](cloudquery@3b56924)) * **deps:** Update module github.com/cloudquery/plugin-sdk/v4 to v4.12.0 ([cloudquery#14281](cloudquery#14281)) ([85835a9](cloudquery@85835a9)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
Fixing the issue in "Ensure that 'public access level' is set to private for blob containers"
Summary