Blob Storage containers should have public access disabled¶
Description¶
Anonymous, public read access to a container and its blobs can be enabled in Azure Blob storage. It grants read-only access to these resources without sharing the account key, and without requiring a shared access signature. It is recommended not to provide anonymous access to blob containers until, and unless, it is strongly desired. A shared access signature token should be used for providing controlled and timed access to blob containers.
Azure Portal¶
Navigate to Storage accounts and select the Storage Account.
In Settings, select Configuration.
In Allow Blob public access, select Disabled and click Save.
Azure Powershell¶
To set
AllowBlobPublicAccess
to false for a Blob Storage:
Set-AzStorageAccount -ResourceGroupName $rgName `
-Name $accountName `
-AllowBlobPublicAccess $false
Azure CLI¶
To set
AllowBlobPublicAccess
to false for a Blob Storage:
az storage account update \
--name <storage-account> \
--resource-group <resource-group> \
--allow-blob-public-access false
Azure Resource Manager¶
Ensure that a Microsoft.Storage/storageAccounts resource contains the following:
{
"properties": {
"allowBlobPublicAccess": false
}
}
Example Configuration¶
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2021-06-01",
"properties": {
"allowBlobPublicAccess": false,
}
# other required fields here
}
Terraform¶
Ensure that azurerm_storage_blob contains the following:
type = "Block"
Example Configuration¶
resource "azurerm_storage_blob" "example" {
name = "my-awesome-content.zip"
storage_account_name = azurerm_storage_account.example.name
storage_container_name = azurerm_storage_container.example.name
type = "Block"
source = "some-local-file.zip"
}