Azure Policy For Preventing Public Blob Containers
There are no ARM REST API properties for Blob containers which means we can't create an Azure Policy for not allowing people to ever create public blob containers.
This is how every AWS breach has occurred due to accidentally setting storage to public.
The feedback is well received. Azure Storage team is working on the feature for this scenario. It’s estimated to ship in CY2019.
Bart Baenisch commented
Hi, any updates on this? We urgently need the storage aliases in Azure policy
lol planned.. are you guys serious ? its already done. .
"name": "[concat('default/', 'buildings')]",
Please make this a priority and have an option to set these under Azure Policy!
Jennifer Collis commented
Microsoft!! Make us secure!!!
Now that the ARM templates for Storage Accounts allow setting the access level for blob containers, an Azure Policy can (and should) be created to allow organizations to enforce the 'Public access level'. This would allow a group to enforce that all blob containers have to be 'Private', preventing an accidental data breach from occurring.
There is a GitHub request for this feature as well:
Please can we see a microsoft response on this. Not having this option is dangerous for enterprise rollout of blob storage.