Ensure public access level for Blob Containers is set to private

storage_blob_service_container_private_access

Severity

critical

Vendor

Azure

Resource

Blob Containers

Description

Public access level for Blob Containers is not set to private.

Azure Blob storage allows to grant public read-only access to a container and its blobs. This can be achieved by settings the publicAccess property on the resource.

Anonymous access to blob containers should be avoided unless it is really required, using instead a shared access signature token for providing controlled and timed access to blob containers.

Examples

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Storage/storageAccounts",
      "apiVersion": "2021-04-01",
      "name": "storage account",
      "location": "[parameters('location')]",
      "resources": [
        {
          "type": "blobServices/containers",
          "apiVersion": "2021-04-01",
          "name": "anonymous", (1)
          "properties": {
            "publicAccess": "Container"
          }
        }
      ]
    }
  ]
}

1	is a Blob storage container which is setting public access to the container.

Terraform

resource "azurerm_storage_container" "my_storage" {
  name                  = "vhds"
  storage_account_name  = azurerm_storage_account.example.name
  container_access_type = "blob" (1)
}

1	FLAW, should be 'private'

Mitigation / Fix

Buildtime

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Storage/storageAccounts",
      "apiVersion": "2021-04-01",
      "name": "storage account",
      "location": "[parameters('location')]",
      "resources": [
        {
          "type": "blobServices/containers",
          "apiVersion": "2021-04-01",
          "name": "not anonymous", (1)
          "properties": {
            "publicAccess": "None"
          }
        }
      ]
    }
  ]
}

1	is a Blob storage container not providing public access.

Terraform

resource "azurerm_storage_container" "my_storage" {
  name                  = "vhds"
  storage_account_name  = azurerm_storage_account.example.name
  container_access_type = "private" (1)
}

Fixed.

Runtime

Azure Portal

To change the policy Log in to Azure Portal and then:

Navigate to Storage Accounts, and for each of them:
- Navigate to Blob Service and select Containers. For each of them:
  - Click Access policy.
    
    Set Public Access Level to Private.

CLI Command

Use the following command to o set the permission for public access to private for a specific blob container:

$ az storage container set-permission --name <container name> --public-access off --account-name <account name> --account-key <account key>

See Managing blob storage containers.