Disallow anonymous access to blob service

Security · Storage Account · Rule · 2020_09 · Important

Storage Accounts should only accept authorized requests.

Description

Blob containers in Azure Storage Accounts can be configured for private or anonymous public access. By default, containers are private and only accessible with a credential or access token. When a container is configured with an access type other than private, anonymous access is permitted.

Anonymous access to blobs or containers can be restricted by setting allowBlobPublicAccess to false. This enhanced security setting for a storage account overrides the individual settings for blob containers. When you disallow public access for a storage account, blobs are no longer accessible anonymously.

Recommendation

Consider disallowing anonymous access to storage account blobs unless specifically required. Also consider enforcing this setting using Azure Policy.

Examples

Configure with Azure template

To deploy Storage Accounts that pass this rule:

• Set the properties.allowBlobPublicAccess property to false.

For example:

Azure Template snippet

{
  "type": "Microsoft.Storage/storageAccounts",
  "apiVersion": "2023-01-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "sku": {
    "name": "Standard_GRS"
  },
  "kind": "StorageV2",
  "properties": {
    "allowBlobPublicAccess": false,
    "supportsHttpsTrafficOnly": true,
    "minimumTlsVersion": "TLS1_2",
    "accessTier": "Hot",
    "allowSharedKeyAccess": false,
    "networkAcls": {
      "defaultAction": "Deny"
    }
  }
}

Configure with Bicep

To deploy Storage Accounts that pass this rule:

• Set the properties.allowBlobPublicAccess property to false.

For example:

Azure Bicep snippet

resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {
  name: name
  location: location
  sku: {
    name: 'Standard_GRS'
  }
  kind: 'StorageV2'
  properties: {
    allowBlobPublicAccess: false
    supportsHttpsTrafficOnly: true
    minimumTlsVersion: 'TLS1_2'
    accessTier: 'Hot'
    allowSharedKeyAccess: false
    networkAcls: {
      defaultAction: 'Deny'
    }
  }
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/storage/storage-account:<version>

To use the latest version:

br/public:avm/res/storage/storage-account:0.9.1

---

• What is Azure Verified Modules?
• Usage and parameters for this module

Configure with Azure Policy

To address this issue at runtime use the following policies:

• Configure your Storage account public access to be disallowed /providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b

Links

• SE:05 Identity and access management
• Use Microsoft Entra ID for storage authentication
• Configure anonymous read access for containers and blobs
• Remediate anonymous read access to blob data
• Authorize access to blobs using Microsoft Entra ID
• Azure deployment reference

Comments