Block all public access to Azure Storage Accounts - via Azure policy - with complete sample
@20aman Jul 17, 2021In the last post, we looked at how to block all public access to Azure Storage Accounts via manual configurations on the Storage Account. You can view that post here: Block all public access to Azure Storage Accounts - via manual setting. In this post, we are looking at how to automatically enforce this in your environment not just for existing storage accounts but also for any new storage accounts that will be created in the future. As the title suggests, we are going to use Azure policy to achieve this.
You have two key options when it comes to any Azure policy. You can either use it only to audit which resources are not compliant. Or you can enforce the required settings. We ideally want the latter effect, so that if someone changes the settings the settings are auto-corrected.
Finding the required resources within the policy
You first need to find the relevant resources. The two conditions you need to apply within the policy are:
- You need to filter for all Storage Account resources
- Then you need to filter for Storage Accounts for which "allowBlobPublicAccess" is not equal to "false" i.e. for which the allow blob public access is enabled.
For the first condition i.e. to filter by Storage account resource you use the below condition within the policy:
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
}
For the second condition, i.e. to filter for Storage Accounts for which "allowBlobPublicAccess" is not equal to "false" you can use the below condition:
{
"not": {
"field": "Microsoft.Storage/storageAccounts/allowBlobPublicAccess",
"equals": "false"
}
}
Option 1 - Auditing for compliance
If you want to only Audit these storage accounts for which the allow blob public access is enabled, for the effect you can specify to only "audit" as shown below:
"then": {
"effect": "audit"
}
This will only show the non-compliant storage accounts under the compliance report.
Option 2 - Enforcing the setting (Recommended)
To go one step further you want to enforce the setting. You have two ways to do this:
- Deny the operation
- Reapply the settings.
To deny the operation simply specify the effect as "deny" as shown below:
"then": {
"effect": "deny"
}
To reapply the settings automatically you can use the below "modify" effect in the policy. You need to specify the guid for the role with which the effect will be applied. And then you specify the "addOrReplace" operation to update the setting as shown below:
"then": {
"effect": "modify",
"details": {
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"operations": [
{
"operation": "addOrReplace",
"field": "Microsoft.Storage/storageAccounts/allowBlobPublicAccess",
"value": false
}
]
}
}
NOTE: You can create Exemptions in the policy if you have a genuine case where the access needs to be opened. E.g. a public static website hosted on the Storage Account.
Complete Policy Sample GitHub Location
To find the complete policy sample can be found in the GitHub at this location: DisableBlobPublicAccess.json
Reference: Prevent anonymous public read access to containers and blobs