What is CIS Azure 3.1?

CIS Azure 3.1 (Ensure Storage Accounts disallow public blob access) requires: Azure Storage accounts should have public blob access disabled. This is a critical-severity control.

How does EchelonGraph detect CIS Azure 3.1 violations?

EchelonGraph automatically detects CIS Azure 3.1 violations using scanner rule AZ-STG-001. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

What audit questions are asked for CIS Azure 3.1?

Which storage accounts allow public blob access? Is the Azure Policy 'Storage accounts should not allow public blob access' enforced? Are there any containers with anonymous read access?

🔵CIS Azure 3.1Rule: AZ-STG-001critical

Ensure Storage Accounts disallow public blob access

Description

Azure Storage accounts should have public blob access disabled.

⚠️ Risk Impact

Publicly accessible blobs expose sensitive data including backups, logs, and application assets.

🔍 How EchelonGraph Detects This

AZ-STG-001Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected Azure accounts. Violations are flagged as critical-severity findings with remediation guidance.

🔧 Remediation

Disable anonymous access: az storage account update --name ACCOUNT --allow-blob-public-access false

💀 Real-World Attack Scenario

A DevOps engineer created an Azure Storage container for CI/CD artifacts with public blob access. The container included deployment scripts containing database connection strings, API keys, and internal certificates. An automated scanner discovered the container and extracted all credentials within minutes.

💰 Cost of Non-Compliance

Microsoft reports thousands of publicly accessible storage accounts discovered monthly. Average public storage breach cost: $3.8M. GDPR fines for exposed EU personal data: up to €20M.

📋 Audit Questions

1.Which storage accounts allow public blob access?
2.Is the Azure Policy 'Storage accounts should not allow public blob access' enforced?
3.Are there any containers with anonymous read access?

🎯 MITRE ATT&CK Mapping

T1530 — Data from Cloud StorageT1552 — Unsecured Credentials

⚡ Common Pitfalls

⛔Disabling public access at account level but individual containers still set to Blob/Container access tier
⛔Not using Azure Private Endpoints for storage access from VNets
⛔Static website hosting requiring public access being conflated with data storage

📈 Business Value

Eliminating public blob access prevents the #1 Azure data exposure vector. Azure Private Endpoints provide secure, private connectivity without any public exposure.

⏱️ Effort Estimate

Manual

1-2 hours to audit and update storage accounts

With EchelonGraph

EchelonGraph detects public storage accounts across all subscriptions

🔗 Cross-Framework References

SOC2-CC6.1ISO27001-A.8.2.3GDPR-Art32

Automate CIS Azure 3.1 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →