Anonymous blob access configured in Azure storage account
Description
This policy checks whether a storage account is configured to allow anonymous access to blob data. Anonymous access to blob data permits anyone on the internet to access or view the stored data without the need for any authentication. This poses a potential risk, as it exposes sensitive data to the public, increasing the likelihood of data leaks and privacy breaches.
Code Example
go
resource "azurerm_storage_account" "storage_account" {
...
allow_nested_items_to_be_public = false
}Remediation
Terraform
- Resource: azurerm_storage_account
- Arguments: allow_nested_items_to_be_public
To fix the issue, disable anonymous access to the blob content of your storage account: Set the `allow_nested_items_to_be_public` attribute to `false`. This ensures that no one can read blob content without proper authentication and authorization.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0804 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV2_AZURE_47 |