Ensure Azure storage account does not allow blob containers with public access

Error: Azure storage account allows blob container with public access

Bridgecrew Policy ID: BC_AZR_NETWORKING_18
Checkov Check ID: CKV_AZURE_59
Severity: LOW

Azure storage account allows blob container with public access

Description

As a best practice, do not allow anonymous/public access to blob containers unless you have a very good reason. Instead, you should consider using a shared access signature token for providing controlled and time-limited access to blob containers.\n\n'Public access level' allows you to grant anonymous/public read access to a container and the blobs within Azure blob storage. By doing so, you can grant read-only access to these resources without sharing your account key, and without requiring a shared access signature.

Fix - Runtime

In Azure Console

  1. Log in to the Azure portal
  2. Navigate to 'Storage Accounts'
  3. Select the reported storage account
  4. Under 'Blob service' section, Select 'Containers'
  5. Select the blob container you need to modify
  6. Click on 'Change access level'
  7. Set 'Public access level' to 'Private (no anonymous access)'
  8. Click on 'OK'

Fix - Buildtime

Terraform

  • Resource: azurerm_storage_account
  • Argument: allow_blob_public_access
resource "azurerm_storage_account" "example" {
              ...
+             allow_blob_public_access = false
              ...
            }

Did this page help you?