Blob Storage containers should have public access disabled

Description

Anonymous, public read access to a container and its blobs can be enabled in Azure Blob storage. It grants read-only access to these resources without sharing the account key, and without requiring a shared access signature. It is recommended not to provide anonymous access to blob containers until, and unless, it is strongly desired. A shared access signature token should be used for providing controlled and timed access to blob containers.

Azure Portal

  • Navigate to Storage accounts and select the Storage Account.

  • In Settings, select Configuration.

  • In Allow Blob public access, select Disabled and click Save.

Azure Powershell

  • To set AllowBlobPublicAccess to false for a Blob Storage:

Set-AzStorageAccount -ResourceGroupName $rgName `
    -Name $accountName `
    -AllowBlobPublicAccess $false

Azure CLI

  • To set AllowBlobPublicAccess to false for a Blob Storage:

az storage account update \
    --name <storage-account> \
    --resource-group <resource-group> \
    --allow-blob-public-access false

Azure Resource Manager

{
  "properties": {
  "allowBlobPublicAccess": false
  }
}

Example Configuration

{
  "type": "Microsoft.Storage/storageAccounts",
  "apiVersion": "2021-06-01",
  "properties": {
    "allowBlobPublicAccess": false,
    }
  # other required fields here
}

Terraform

Example Configuration

resource "azurerm_storage_blob" "example" {
  name                   = "my-awesome-content.zip"
  storage_account_name   = azurerm_storage_account.example.name
  storage_container_name = azurerm_storage_container.example.name
  type                   = "Block"
  source                 = "some-local-file.zip"
}