Use private blob containers#
Security · Storage Account · 2020_06
Use containers configured with a private access type that requires authorization.
Description#
Azure Storage Account blob containers use the Private access type by default. Additional access types Blob and Container provide anonymous access to blobs without authorization. Blob and Container access types are not intended for access to customer data. When authorization is required, clients must use cryptographic keys or identity-based tokens to authenticate.
Blob and Container access types are designed for public access scenarios. For example, storage of web assets like .css and .js files used in public websites.
Recommendation#
To provide secure access to data always use the Private access type (default). Also consider, disabling public access for the storage account.
Examples#
Configure with Azure template#
To deploy Storage Account blob containers that pass this rule:
- Set the
properties.publicAccess
property toNone
.
For example:
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2021-06-01",
"name": "[format('{0}/{1}/{2}', parameters('name'), 'default', variables('containerName'))]",
"properties": {
"publicAccess": "None"
},
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/blobServices', parameters('name'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]"
]
}
Configure with Bicep#
To deploy Storage Account blob containers that pass this rule:
- Set the
properties.publicAccess
property toNone
.
For example:
resource container 'Microsoft.Storage/storageAccounts/blobServices/containers@2021-06-01' = {
parent: blobService
name: containerName
properties: {
publicAccess: 'None'
}
}
Links#
- Authentication with Azure AD
- About anonymous public read access
- Use Azure Policy to enforce authorized access
- How a shared access signature works
- Azure deployment reference