Disallow anonymous access to blob service#
Security · Storage Account · Rule · 2020_09
Storage Accounts should only accept authorized requests.
Description#
Blob containers in Azure Storage Accounts can be configured for private or anonymous public access. By default, containers are private and only accessible with a credential or access token. When a container is configured with an access type other than private, anonymous access is permitted.
Anonymous access to blobs or containers can be restricted by setting allowBlobPublicAccess
to false
.
This enhanced security setting for a storage account overrides the individual settings for blob containers.
When you disallow public access for a storage account, blobs are no longer accessible anonymously.
Recommendation#
Consider disallowing anonymous access to storage account blobs unless specifically required. Also consider enforcing this setting using Azure Policy.
Examples#
Configure with Azure template#
To deploy Storage Accounts that pass this rule:
- Set the
properties.allowBlobPublicAccess
property tofalse
.
For example:
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2023-01-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard_GRS"
},
"kind": "StorageV2",
"properties": {
"allowBlobPublicAccess": false,
"supportsHttpsTrafficOnly": true,
"minimumTlsVersion": "TLS1_2",
"accessTier": "Hot",
"allowSharedKeyAccess": false,
"networkAcls": {
"defaultAction": "Deny"
}
}
}
Configure with Bicep#
To deploy Storage Accounts that pass this rule:
- Set the
properties.allowBlobPublicAccess
property tofalse
.
For example:
resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {
name: name
location: location
sku: {
name: 'Standard_GRS'
}
kind: 'StorageV2'
properties: {
allowBlobPublicAccess: false
supportsHttpsTrafficOnly: true
minimumTlsVersion: 'TLS1_2'
accessTier: 'Hot'
allowSharedKeyAccess: false
networkAcls: {
defaultAction: 'Deny'
}
}
}
Links#
- Use Azure AD for storage authentication
- Allow or disallow public read access for a storage account
- Remediate anonymous public access
- Use Azure Policy to enforce authorized access
- Authorize access to blobs using Azure Active Directory
- Azure deployment reference