Dans le cadre de l’émission Visual Studio Talk Show organisée par Mario Cardinal et Guy Barrette, j’ai eu le plaisir d’enregistrer un épisode sur la thématique « SecOps ».
In this article, I will show you how a malicious actor can leverage the Azure Managed Disk Import / Export feature to exfiltrate data outside of your organization. By default, in Azure all the Azure Disks are configured with a public endpoint enabled.
You can generate a time bound Shared Access Signature (SAS) URI for unattached managed disks and snapshots for exporting the data to other region for regional expansion, disaster recovery and to read the data for forensic analysis. When the URI is generated, you need to define an expiration time (maximum expiration time 4294967295 seconds). After that, everyone who knows the SAS URI can download the disk without any IP filtering before the expiration time.
To prevent this security issue, I will recommend you to:
Enable a Private endpoint (through disk access), or
Configure the connection method with : Deny all
If you want to know which managed disk are configured with the connectivity method « Public endpoint », you can use an Azure Policy in audit mode:
By default, a storage account allows public access to be configured for containers in the account, but does not enable public access to your data. Public access to blob data is never permitted unless you take the additional step to explicitly configure the public access setting for a container.
Microsoft introduced a new protection feature to help avoid public access on storage account. The feature introduces a new property named allowBlobPublicAccess.
Microsoft recommends that you disallow public access to a storage account unless your scenario requires it. Disallowing public access helps to prevent data breaches caused by undesired anonymous access.
In this article, I will you show you how you can identify these storage accounts with an Azure Graph query:
resources
| where type =~ 'Microsoft.Storage/storageAccounts'
| extend allowBlobPublicAccess = parse_json(properties).allowBlobPublicAccess
| project name, resourceGroup, allowBlobPublicAccess