Blob Storage containers should have public access disabled


Anonymous, public read access to a container and its blobs can be enabled in Azure Blob storage. It grants read-only access to these resources without sharing the account key, and without requiring a shared access signature. It is recommended not to provide anonymous access to blob containers until, and unless, it is strongly desired. A shared access signature token should be used for providing controlled and timed access to blob containers.

Remediation Steps

Azure Portal

  • Navigate to Storage Account.

  • Select the Blob Storage Account.

  • In the left panel, select Settings > Configuration.

  • Set Allow Blob public access to Disabled.

  • Click Save.

Azure CLI

  • Block public access for a Blob Storage container:

az storage account update \
    --name <storage-account> \
    --resource-group <resource-group> \
    --allow-blob-public-access false

Azure Resource Manager

  "properties": {
  "allowBlobPublicAccess": false

Example Configuration

  "type": "Microsoft.Storage/storageAccounts",
  "apiVersion": "2021-06-01",
  "properties": {
    "allowBlobPublicAccess": false,
  # other required fields here