Disallow anonymous access to blob service#
Security · Storage Account · 2020_09
Storage Accounts should only accept authorized requests.
Description#
Blob containers in Azure Storage Accounts can be configured for private or anonymous public access. By default, containers are private and only accessible with a credential or access token. When a container is configured with an access type other than private, anonymous access is permitted.
Anonymous access to blobs or containers can be restricted by setting AllowBlobPublicAccess
to false
.
This enhanced security setting for a storage account overrides the individual settings for blob containers.
When you disallow public access for a storage account, blobs are no longer accessible anonymously.
Recommendation#
Consider disallowing anonymous access to storage account blobs unless specifically required. Also consider enforcing this setting using Azure Policy.
Examples#
Configure with Azure template#
To deploy Storage Accounts that pass this rule:
- Set the
properties.allowBlobPublicAccess
property tofalse
.
For example:
{
"comments": "Storage Account",
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"name": "st0000001",
"location": "[parameters('location')]",
"sku": {
"name": "Standard_GRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"supportsHttpsTrafficOnly": true,
"minimumTlsVersion": "TLS1_2",
"allowBlobPublicAccess": false,
"accessTier": "Hot"
}
}
Configure with Bicep#
To deploy Storage Accounts that pass this rule:
- Set the
properties.allowBlobPublicAccess
property tofalse
.
For example:
resource st0000001 'Microsoft.Storage/storageAccounts@2021-04-01' = {
name: 'st0000001'
location: location
sku: {
name: 'Standard_GRS'
}
kind: 'StorageV2'
properties: {
supportsHttpsTrafficOnly: true
accessTier: 'Hot'
allowBlobPublicAccess: false
minimumTlsVersion: 'TLS1_2'
networkAcls: {
defaultAction: 'Deny'
}
}
}
Links#
- Use Azure AD for storage authentication
- Allow or disallow public read access for a storage account
- Remediate anonymous public access
- Use Azure Policy to enforce authorized access
- Authorize access to blobs using Azure Active Directory
- Azure deployment reference