How can we improve Azure Storage?

Azure Policy For Preventing Public Blob Containers

There are no ARM REST API properties for Blob containers which means we can't create an Azure Policy for not allowing people to ever create public blob containers.

This is how every AWS breach has occurred due to accidentally setting storage to public.

130 votes
Vote
Sign in
(thinking…)
Sign in with: oidc
Signed in as (Sign out)
You have left! (?) (thinking…)
Chris shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

7 comments

Sign in
(thinking…)
Sign in with: oidc
Signed in as (Sign out)
Submitting...
  • Daniel commented  ·   ·  Flag as inappropriate

    Hi, any updates on this? We urgently need the storage aliases in Azure policy

    "Microsoft.Storage/storageAccounts/blobServices/containers"
    "Microsoft.Storage/storageAccounts/blobServices/containers/publicAccess"

    Thank you!

  • Anonymous commented  ·   ·  Flag as inappropriate

    lol planned.. are you guys serious ? its already done. .

    https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/2018-02-01/storageaccounts/blobservices/containers

    {
    "name": "[concat('default/', 'buildings')]",
    "type": "blobServices/containers",
    "apiVersion": "[variables('apiVersions').azureStorage]",
    "properties": {
    "publicAccess": "blob"
    },
    "dependsOn": [
    "[variables('settingsStorageAccounts').stoAccountApp]"
    ]
    },

  • Kiran commented  ·   ·  Flag as inappropriate

    Please make this a priority and have an option to set these under Azure Policy!

  • Scott commented  ·   ·  Flag as inappropriate

    Now that the ARM templates for Storage Accounts allow setting the access level for blob containers, an Azure Policy can (and should) be created to allow organizations to enforce the 'Public access level'. This would allow a group to enforce that all blob containers have to be 'Private', preventing an accidental data breach from occurring.

    There is a GitHub request for this feature as well:
    https://github.com/Azure/azure-policy/issues/131

  • Matthew commented  ·   ·  Flag as inappropriate

    Please can we see a microsoft response on this. Not having this option is dangerous for enterprise rollout of blob storage.

Feedback and Knowledge Base