[Turbot On] Azure Storage Public Access Controls

How to disable public access for Azure storage accounts, containers and blobs.

Azure Storage supports anonymous public read access for containers and blobs. When you configure a container's public access level setting to permit anonymous access, clients can read data in that container without authorizing the request. There are multiple settings in Azure that can affect public access:

Storage Account Settings:

  • Allow public access – This setting does not grant public access, but allows containers and blobs in this storage account to be set for public access. 

  • Disallow public access: – In contrast, this setting prevents Azure users from granting public access to containers and blobs in the storage account.

Container and Blob Settings:

  • No public read access: The container and its blobs can be accessed only with an authorized request. This option is the default for all new containers.

  • Public read access for blobs only: Blobs within the container can be read by anonymous public users, but container data is not available anonymously. Anonymous clients cannot list the blobs within the container.

  • Public read access for container and its blobs: Container and blob data can be read by anonymous public users (except for container permission settings and container metadata). Anonymous clients can list all blobs within the container, but cannot list containers within the storage account.

This week’s Turbot On will look at how you can enforce controls to `Disallow public access` at the storage account level and enforce `No public read access` on containers and blobs.

Traditional Workflow

The default configuration in Azure is to allow public access at the Storage Account level, but disable public access for newly created containers.  These default permissions are reasonable for a single hobbyist controlling their own Azure storage account, but not in an enterprise setting.

A large organization may manage hundreds of storage accounts, and thousands of containers.  Because creating storage accounts and containers is a very common action, preventing authorized users from enabling public access via manual configuration settings to each storage account can become a challenge at scale.

Turbot’s recommendation for large organizations is that customers ‘Disallow public access’ on the storage account and enforce ‘No public read access’ on all containers. Requests for public access should be reviewed and granted if justified on an exception basis. Those exceptions should be enabled on dedicated public storage accounts.

Get it done with Turbot

Let’s look at how Turbot’s automation can be applied globally to disable public access on storage accounts, containers and blobs on all storage resources – in every subscription – across your entire Azure tenant. Exceptions to this global setting may be needed, and this approach allows you to overwrite the setting on specific storage accounts or containers when approved.

By setting a single policy in Turbot, we can ensure that use of public access on the storage accounts are disabled on all current and future storage accounts:

As an additional layer of protection, we can set another policy in Turbot to ensure that each container and blob do not allow any public access on all current and future storage containers and blobs:

After setting these policies, Turbot automation will identify all storage resources that allow for public access and then handle remediation (update the storage accounts to disallow public access, and disable anonymous access for containers and blobs).

If you want to evaluate which storage resources are at risk in your environment before taking corrective action we suggest setting the value to `Check: Disabled` for the storage accounts, and `Check: Private (No anonymous access)`for the storage containers and blobs at the Turbot level. Once set, Turbot will create alarms for all impacted storage resources that are not configured correctly. You can then selectively apply an enforcement setting (e.g. to specific storage resources, resource groups, subscriptions, management groups, etc.) to run the corrective controls.

Make it happen

See for yourself how easy it is to manage your public access configurations across your Azure storage accounts, containers and blobs. A ready-to-run Terraform template is available to download and run from the Turbot Development Kit (TDK). If you need any assistance getting this configured please reach out to Turbot Support, and keep an eye on your inbox for another Turbot tip next week!