Azure Storage public access controls
How to disable public access for Azure storage accounts, containers and blobs.
Azure Storage supports anonymous public read access for containers and blobs. When you configure a container's public access level setting to permit anonymous access, clients can read data in that container without authorizing the request. There are multiple settings in Azure that can affect public access:
Storage Account Settings:
-
Allow public access – This setting does not grant public access, but allows containers and blobs in this storage account to be set for public access.
-
Disallow public access: – In contrast, this setting prevents Azure users from granting public access to containers and blobs in the storage account.
Container and Blob Settings:
No public read access: The container and its blobs can be accessed only with an authorized request. This option is the default for all new containers.
Public read access for blobs only: Blobs within the container can be read by anonymous public users, but container data is not available anonymously. Anonymous clients cannot list the blobs within the container.
Public read access for container and its blobs: Container and blob data can be read by anonymous public users (except for container permission settings and container metadata). Anonymous clients can list all blobs within the container, but cannot list containers within the storage account.
This post looks at how you can enforce controls to `Disallow public access` at the storage account level and enforce `No public read access` on containers and blobs.
Traditional Workflow
The default configuration in Azure is to allow public access at the Storage Account level, but disable public access for newly created containers. These default permissions are reasonable for a single hobbyist controlling their own Azure storage account, but not in an enterprise setting.
A large organization may manage hundreds of storage accounts, and thousands of containers. Because creating storage accounts and containers is a very common action, preventing authorized users from enabling public access via manual configuration settings to each storage account can become a challenge at scale.
Turbot Guardrails recommendation for large organizations is that customers ‘Disallow public access’ on the storage account and enforce ‘No public read access’ on all containers. Requests for public access should be reviewed and granted if justified on an exception basis. Those exceptions should be enabled on dedicated public storage accounts.
Get it done with Turbot Guardrails
Let’s look at how Turbot Guardrails automation can be applied globally to disable public access on storage accounts, containers and blobs on all storage resources – in every subscription – across your entire Azure tenant. Exceptions to this global setting may be needed, and this approach allows you to overwrite the setting on specific storage accounts or containers when approved.
By setting a single policy in Turbot Guardrails, we can ensure that use of public access on the storage accounts are disabled on all current and future storage accounts:
After setting these policies, Turbot Guardrails automation will identify all storage resources that allow for public access and then handle remediation (update the storage accounts to disallow public access, and disable anonymous access for containers and blobs).
If you want to evaluate which storage resources are at risk in your environment before taking corrective action we suggest setting the value to Check: Disabled
for the storage accounts, and Check: Private (No anonymous access)
for the storage containers and blobs at the Turbot level. Once set, Turbot Guardrails will create alarms for all impacted storage resources that are not configured correctly. You can then selectively apply an enforcement setting (e.g. to specific storage resources, resource groups, subscriptions, management groups, etc.) to run the corrective controls.
Make it happen!
See for yourself how easy it is to manage your public access configurations across your Azure storage accounts, containers and blobs. A ready-to-run Terraform template is available to enable this configuration from the Turbot Development Kit (TDK). If you need any assistance, let us know in our Slack community #guardrails channel. If you are new to Turbot, connect with us to learn more!