Skip to content

Use private blob containers#

Security · Storage Account · Rule · 2020_06 · Important

Use containers configured with a private access type that requires authorization.

Description#

Azure Storage Account blob containers use the Private access type by default. Additional access types Blob and Container provide anonymous access to blobs without authorization. Blob and Container access types are not intended for access to customer data. When authorization is required, clients must use cryptographic keys or identity-based tokens to authenticate.

Blob and Container access types are designed for public access scenarios. For example, storage of web assets like .css and .js files used in public websites.

Recommendation#

To provide secure access to data always use the Private access type (default). Also consider, disabling public access for the storage account.

Examples#

Configure with Azure template#

To deploy Storage Account blob containers that pass this rule:

  • Set the properties.publicAccess property to None.

For example:

Azure Template snippet
{
  "type": "Microsoft.Storage/storageAccounts/blobServices/containers",
  "apiVersion": "2021-06-01",
  "name": "[format('{0}/{1}/{2}', parameters('name'), 'default', variables('containerName'))]",
  "properties": {
    "publicAccess": "None"
  },
  "dependsOn": [
    "[resourceId('Microsoft.Storage/storageAccounts/blobServices', parameters('name'), 'default')]",
    "[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]"
  ]
}

Configure with Bicep#

To deploy Storage Account blob containers that pass this rule:

  • Set the properties.publicAccess property to None.

For example:

Azure Bicep snippet
resource container 'Microsoft.Storage/storageAccounts/blobServices/containers@2021-06-01' = {
  parent: blobService
  name: containerName
  properties: {
    publicAccess: 'None'
  }
}

Comments