Description:
The "Allow Blob Anonymous Access" setting in Azure Storage Accounts controls whether anonymous users (users not authenticated with any credentials) can access blob storage. Disabling this setting ensures that only authenticated and authorized users can access the data in the storage account, preventing any unauthorized external access.
Rationale:
Disabling anonymous access to Azure Blob storage is a critical security measure to protect sensitive data and prevent data leaks. Allowing anonymous access could expose private or confidential information to anyone with the correct URL, violating security policies and compliance requirements like GDPR, HIPAA, or SOC 2. By ensuring this setting is disabled, organizations can maintain a higher level of security for their cloud storage resources.
Impact:
Disabling anonymous access may restrict the ability for users or applications to publicly share blob data without authentication. If there are legitimate use cases that require anonymous access, this setting should be evaluated and possibly overridden.
Default Value:
By default, Azure Storage Accounts have the "Allow Blob Anonymous Access" setting enabled. This must be explicitly disabled to secure storage resources.
Pre-requisites:
Azure account: Ensure you have sufficient permissions to configure Azure Storage Account settings.
Azure Storage Account: Ensure the target storage account exists.
Permissions: You need appropriate permissions, such as Owner or Contributor role, to modify the storage account settings.
Remediation:
Audit:
To check if 'Allow Blob Anonymous Access' is disabled for your Azure Storage Accounts:
Sign in to the Azure portal using an account with appropriate permissions.
Navigate to the Azure Storage Account.
Check Blob Service settings:
In the left-hand menu, click on Containers under the "Blob service" section.
From the Settings section, select Configuration.
Verify the setting for Allow Blob Anonymous Access. It should be Disabled.
Automated Implementation:
You can automate the enforcement of this setting using Azure Policy.
Create a custom Azure Policy to ensure 'Allow Blob Anonymous Access' is disabled:
Go to the Azure portal.
Navigate to Policy and click on Definitions.
Create a new Custom Policy and define it with the following content:
{
"properties": {
"displayName": "Ensure Allow Blob Anonymous Access is Disabled",
"policyType": "BuiltIn",
"mode": "All",
"description": "This policy ensures that 'Allow Blob Anonymous Access' is disabled on all storage accounts.",
"parameters": {},
"metadata": {
"version": "1.0.0",
"category": "Storage"
},
"policyRule": {
"if": {
"field": "Microsoft.Storage/storageAccounts/blobServices.defaultServiceVersion",
"equals": "null"
},
"then": {
"effect": "deny"
}
}
}
}Assign the policy:
Once the custom policy is created, assign it to the relevant subscriptions or resource groups to enforce this setting across all storage accounts.
Backout Plan:
If you need to revert the setting:
Sign in to the Azure portal with the appropriate permissions.
Navigate to the Azure Storage Account.
Go to the Blob Service settings:
In the left-hand menu, click on Containers under the "Blob service" section.
From the Settings section, select Configuration.
Re-enable 'Allow Blob Anonymous Access':
Change the setting to Enabled if needed.
Save the changes.
If the setting was automated using Azure Policy, remove or modify the policy to allow anonymous access.