HIGH
Source
CloudSploit
ID
queue-service-all-access-acl

Queue Service All Access ACL

Ensures queues do not allow full write, delete, or read ACL permissions

Queues can be configured to allow object read, write or delete. This option should not be configured unless there is a strong business requirement.

Follow the appropriate remediation steps below to resolve the issue.

  1. Log into the Microsoft Azure Management Console.

  2. In the search bar at the top search for Storage and select “Storage accounts” from the result. Step

  3. Select the “Storage account” by clicking on the “Name” link to access the configuration changes. Step

  4. In the left navigation panel, scroll down and click on the “Queues” option under “Data storage”.Step

  5. Select the “Queue” by clicking on the triple dots (…) at the end of the row and click “Access policy”. Step

  6. On the “Access Policy” panel check the “Permissions” associated with the “Queue”. If it says “raup” then the queue allows full write, delete, or read ACL permissions and is not as per the security recommendations.Step

  7. Click the triple dots (…) and click “Edit” option to make changes.Step

  8. In the “Edit policy” pop up that opens, click the “Permissions” dropdown, uncheck the global read and update policies, then click on the “OK” button to save the changes.Step

  9. Click on the “Save” button at the top to save the configuration changes.Step

  10. Repeat step number 4 - 9 to check all other “Queues” do not allow full write, delete, or read ACL permissions.