'Blob public access' should be disabled for storage accounts with blob containers
Description
Disallowing public access for a storage account overrides the public access settings for individual containers in that storage account.
Default Value
By default, Public access level
is set to Private (no anonymous access)
for blob containers and AllowBlobPublicAccess
is set to Null
(allow in effect) for storage accounts.
Rationale
It is recommended that you avoid providing anonymous access to blob containers unless necessary. A Shared Access Signature (SAS) token or Azure AD RBAC should be used for providing controlled and timed access to blob containers. If no anonymous access is needed on any container in the storage account, it’s recommended to set allowBlobPublicAccess
to false at the account level, which prevents any container from accepting anonymous access in the future.
Impact
Access must be managed using shared access signatures or with Azure AD RBAC.
From the console
Note: You must create a SAS token for your blob containers before completing the following remediation steps.
- Go to Storage Accounts.
- For each storage account, go to Configuration in the side panel.
- Set Allow Blob public access to Disabled.
From the command line
First, follow Microsoft documentation and create SAS tokens for
your blob containers. Then, follow the steps below:
Set Allow Blob Public Access to false
on the storage account.
az storage account update --name <storage-account> --resource-group <resource-group> --allow-blob-public-access false
References
- https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview
- https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent
- https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-2-define-and-implement-enterprise-segmentationseparation-of-duties-strategy
- https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-2-secure-cloud-services-with-network-controls
- https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure
- https://docs.microsoft.com/en-us/azure/storage/blobs/assign-azure-role-data-access