Public access level for Blob Containers is not set to private
Description
Anonymous, public read access to a container and its blobs can be enabled in Azure Blob storage. It grants read-only access to these resources without sharing the account key or requiring a shared access signature.
We recommend you do not provide anonymous access to blob containers until, and unless, it is strongly desired. A shared access signature token should be used for providing controlled and timed access to blob containers.
Fix - Runtime
Azure Portal
To begin, follow Microsoft documentation and create shared access signature tokens for your blob containers. When complete, change the policy using the Azure Portal to deny anonymous access following these steps:
- Log in to the Azure Portal at https://portal.azure.com.
- Navigate to Storage Accounts.
- For each storage account:
a) Navigate to BLOB SERVICE.
b) Select Containers.
c) For each Container:
(i) Click Access policy.
(ii) Set Public Access Level to Private.
CLI Command
To set the permission for public access to private (off) for a specific blob container, use the container's name with the following command:
az storage container set-permission
--name <containerName>
--public-access off
--account-name <accountName>
--account-key <accountKey>
Fix - Buildtime
Terraform
- Resource: azurerm_storage_container
- Argument: container_access_type
resource "azurerm_storage_container" "example" {
...
+ container_access_type = "private"
}