Disallow anonymous access to blob service

Security · Storage Account · 2020_09

Storage Accounts should only accept authorized requests.

Description

Blob containers in Azure Storage Accounts can be configured for private or anonymous public access. By default, containers are private and only accessible with a credential or access token. When a container is configured with an access type other than private, anonymous access is permitted.

Anonymous access to blobs or containers can be restricted by setting AllowBlobPublicAccess to false. This enhanced security setting for a storage account overrides the individual settings for blob containers. When you disallow public access for a storage account, blobs are no longer accessible anonymously.

Recommendation

Consider disallowing anonymous access to storage account blobs unless specifically required. Also consider enforcing this setting using Azure Policy.

Examples

Configure with Azure template

To deploy Storage Accounts that pass this rule:

• Set the properties.allowBlobPublicAccess property to false.

For example:

Azure Template snippet

{
    "comments": "Storage Account",
    "type": "Microsoft.Storage/storageAccounts",
    "apiVersion": "2019-06-01",
    "name": "st0000001",
    "location": "[parameters('location')]",
    "sku": {
        "name": "Standard_GRS",
        "tier": "Standard"
    },
    "kind": "StorageV2",
    "properties": {
        "supportsHttpsTrafficOnly": true,
        "minimumTlsVersion": "TLS1_2",
        "allowBlobPublicAccess": false,
        "accessTier": "Hot"
    }
}

Configure with Bicep

To deploy Storage Accounts that pass this rule:

• Set the properties.allowBlobPublicAccess property to false.

For example:

Azure Bicep snippet

resource st0000001 'Microsoft.Storage/storageAccounts@2021-04-01' = {
  name: 'st0000001'
  location: location
  sku: {
    name: 'Standard_GRS'
  }
  kind: 'StorageV2'
  properties: {
    supportsHttpsTrafficOnly: true
    accessTier: 'Hot'
    allowBlobPublicAccess: false
    minimumTlsVersion: 'TLS1_2'
    networkAcls: {
      defaultAction: 'Deny'
    }
  }
}

Links

• Use Azure AD for storage authentication
• Allow or disallow public read access for a storage account
• Remediate anonymous public access
• Use Azure Policy to enforce authorized access
• Authorize access to blobs using Azure Active Directory
• Azure deployment reference

---

Last update: 2022-09-04

Comments