Skip to content

Use private blob containers#

Security · Storage Account · Azure.Storage.BlobAccessType

Storage Accounts use containers configured with an access type other than Private.

Description#

Azure Storage Account blob containers use the Private access type by default. Additional access types Blob and Container provide anonymous access to blobs without authorized. Blob and Container access types are not intended for access to customer data.

Blob and Container access types are designed for public access scenarios. For example, storage of web assets like .css and .js files used in public websites.

Recommendation#

To provide secure access to data always use the Private access type (default). Use Shared Access Signatures (SAS) to provide secure access to individual blobs or containers as required.

Consider using SAS tokens stored securely in a key vault, rotated and only accessed by approved applications.

Examples#

Azure templates#

To deploy storage accounts blob containers that pass this rule:

  • Set the properties.publicAccess property to None.

For example:

{
    "comments": "Create a blob container",
    "type": "Microsoft.Storage/storageAccounts/blobServices/containers",
    "apiVersion": "2019-06-01",
    "name": "[concat(parameters('storageAccountName'), '/default/', parameters('containerName')))]",
    "dependsOn": [
        "[resourceId('Microsoft.Storage/storageAccounts/blobServices', parameters('storageAccountName'), 'default')]",
        "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
    ],
    "properties": {
        "publicAccess": "None"
    }
}

Last update: 2021-09-24