Ensure Azure storage account does not allow blob containers with public access
Error: Azure storage account allows blob container with public access
Bridgecrew Policy ID: BC_AZR_NETWORKING_18
Checkov Check ID: CKV_AZURE_59
Severity: LOW
Azure storage account allows blob container with public access
Description
As a best practice, do not allow anonymous/public access to blob containers unless you have a very good reason. Instead, you should consider using a shared access signature token for providing controlled and time-limited access to blob containers.\n\n'Public access level' allows you to grant anonymous/public read access to a container and the blobs within Azure blob storage. By doing so, you can grant read-only access to these resources without sharing your account key, and without requiring a shared access signature.
Fix - Runtime
In Azure Console
- Log in to the Azure portal
- Navigate to 'Storage Accounts'
- Select the reported storage account
- Under 'Blob service' section, Select 'Containers'
- Select the blob container you need to modify
- Click on 'Change access level'
- Set 'Public access level' to 'Private (no anonymous access)'
- Click on 'OK'
Fix - Buildtime
Terraform
- Resource: azurerm_storage_account
- Argument: allow_blob_public_access
resource "azurerm_storage_account" "example" {
...
+ allow_blob_public_access = false
...
}
Updated 2 months ago