Azure storage account has a blob container that is publicly accessible
Description
Anonymous, public read access to a container and its blobs can be enabled in Azure Blob storage. It grants read-only access to these resources without sharing the account key or requiring a shared access signature. We recommend you do not provide anonymous access to blob containers until, and unless, it is strongly desired. A shared access signature token should be used for providing controlled and timed access to blob containers.
Code Example
resource "azurerm_storage_container" "example" {
...
+ container_access_type = "private"
}Remediation
- Azure Portal To begin, follow Microsoft documentation and create shared access signature tokens for your blob containers.*
When complete, change the policy using the Azure Portal to deny anonymous access following these steps:
. Log in to the Azure Portal at https://portal.azure.com.
. Navigate to * Storage Accounts*.
. For each storage account: a) Navigate to * BLOB SERVICE*. + b) Select * Containers*. + c) For each * Container*: (i) Click * Access policy*. + (ii) Set * Public Access Level* to* Private**.
- CLI Command*
To set the permission for public access to private (off) for a specific blob container, use the container's name with the following command:
az storage container set-permission --name & lt;containerName> --public-access off --account-name & lt;accountName> --account-key & lt;accountKey>
=== Fix - Buildtime
Terraform
- Resource: azurerm_storage_container
- Arguments: container_access_type
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0545 |
| Severity | HIGH |
| IaC Type | arm |
| Frameworks | ARM, |
| Checkov ID | CKV_AZURE_34 |