Storage accounts: public access disabled
Demonstrate that all storage accounts within the organization's cloud environment are configured to disable public access, preventing anonymous or unauthenticated users from reading, writing, or listing stored objects.
Description
What this control does
This control requires that all storage accounts (such as Azure Storage, AWS S3, or Google Cloud Storage) be configured to block anonymous public access at the account or bucket/container level. When properly implemented, only authenticated and authorized users or services can access stored data; unauthenticated requests from the internet are denied by default. This prevents accidental or intentional exposure of sensitive data through misconfigured access policies, reducing the attack surface associated with cloud storage services.
Control objective
What auditing this proves
Demonstrate that all storage accounts within the organization's cloud environment are configured to disable public access, preventing anonymous or unauthenticated users from reading, writing, or listing stored objects.
Associated risks
Risks this control addresses
- Unauthorized disclosure of sensitive data through publicly accessible storage containers exposed to the internet
- Data exfiltration by external threat actors scanning for misconfigured storage accounts with open read permissions
- Ransomware or malicious file uploads to publicly writable storage accounts that can host malware or facilitate data tampering
- Compliance violations and regulatory penalties resulting from unintended exposure of personally identifiable information (PII), protected health information (PHI), or financial records
- Credential harvesting or information gathering by attackers who enumerate publicly accessible storage to identify organizational assets and data structures
- Reputational damage and loss of customer trust following public disclosure of a data breach caused by misconfigured storage access controls
- Supply chain compromise through injection of malicious artifacts into publicly writable repositories consumed by development or deployment pipelines
Testing procedure
How an auditor verifies this control
- Obtain an inventory of all storage accounts deployed across all cloud subscriptions, tenants, or projects within scope of the audit period.
- Review organizational policies and standards governing storage account configuration, including requirements to disable public access at provisioning and throughout the lifecycle.
- Export configuration settings for each storage account, specifically capturing public access settings (e.g., 'AllowBlobPublicAccess', 'PublicAccessLevel', 'BlockPublicAccess' flags).
- Query infrastructure-as-code templates (e.g., Terraform, CloudFormation, ARM templates) for storage account definitions and verify that public access is explicitly set to disabled.
- Execute cloud provider CLI commands or API queries to enumerate all storage accounts and programmatically retrieve their public access configuration status.
- Select a representative sample of storage accounts stratified by environment (production, development, testing) and business function, and manually verify public access settings via the cloud provider console.
- Test external accessibility by attempting unauthenticated HTTP GET requests to storage account endpoints or container URLs from an external network to confirm access is denied.
- Review change management records, audit logs, and security monitoring alerts for any instances where public access was enabled, including approval workflows and remediation actions taken.
Where this control is tested