Ensure public access level for Blob Containers is set to private

Error: Public access level for Blob Containers is not set to private

Bridgecrew Policy ID: BC_AZR_NETWORKING_14
Checkov Check ID: CKV_AZURE_34
Bridgecrew Severity: CRITICAL
Prisma Cloud Severity: HIGH

Public access level for Blob Containers is not set to private

Description

Anonymous, public read access to a container and its blobs can be enabled in Azure Blob storage. It grants read-only access to these resources without sharing the account key or requiring a shared access signature.

We recommend you do not provide anonymous access to blob containers until, and unless, it is strongly desired. A shared access signature token should be used for providing controlled and timed access to blob containers.

Fix - Runtime

Azure Portal

To begin, follow Microsoft documentation and create shared access signature tokens for your blob containers. When complete, change the policy using the Azure Portal to deny anonymous access following these steps:

  1. Log in to the Azure Portal at https://portal.azure.com.
  2. Navigate to Storage Accounts.
  3. For each storage account:
    a) Navigate to BLOB SERVICE.
    b) Select Containers.
    c) For each Container:
    (i) Click Access policy.
    (ii) Set Public Access Level to Private.

CLI Command

To set the permission for public access to private (off) for a specific blob container, use the container's name with the following command:

az storage container set-permission 
--name <containerName> 
--public-access off 
--account-name <accountName> 
--account-key <accountKey>

Fix - Buildtime

Terraform

  • Resource: azurerm_storage_container
  • Argument: container_access_type
resource "azurerm_storage_container" "example" {
    ...
+   container_access_type = "private"
}