Azure storage account does allow public access
Description
As a best practice, do not allow anonymous/public access to blob containers unless you have a very good reason. Instead, you should consider using a shared access signature token for providing controlled and time-limited access to blob containers. 'Public access level' allows you to grant anonymous/public read access to a container and the blobs within Azure blob storage.
By doing so, you can grant read-only access to these resources without sharing your account key, and without requiring a shared access signature.
Code Example
resource "azurerm_storage_account" "pike" {
...
+ public_network_access_enabled = false
...
}Remediation
- In Azure Console*
. Log in to the Azure portal
. Navigate to 'Storage Accounts'
. Select the reported storage account
. Under 'Blob service' section, Select 'Containers'
. Select the blob container you need to modify
. Click on 'Change access level'
. Set 'Public access level' to 'Private (no anonymous access)'
. Click on 'OK' === Fix - Buildtime
Terraform
- Resource: azurerm_storage_account
- Arguments: allow_blob_public_access
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0568 |
| Severity | LOW |
| IaC Type | arm |
| Frameworks | Terraform, |
| Checkov ID | CKV_AZURE_59 |