Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Disable Anonymous Access to Blob Containers

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: StorageAccounts-006

Secure your data by disabling anonymous access to blob containers provisioned within your Azure Storage account. This action effectively prevents public, unauthenticated access to your sensitive blob data.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

A user who accesses blob containers anonymously can utilize constructors that do not require credentials, such as shared access signatures. To adhere to security best practices, it is strongly recommended to disable anonymous access to each blob container available within your Azure Storage account, unless absolutely necessary. A shared access signature token should only be used to provide controlled and time-limited access to your blob containers.


Audit

To determine whether anonymous access to Azure Storage blob containers is disabled, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Storage account, and choose Apply to list only the storage accounts available in the selected Azure subscription.

05 Click on the name (link) of the storage account that you want to examine.

06 In the resource navigation panel, under Data storage, choose Containers to access the blob containers provisioned for the selected storage account.

07 Choose the container that you want to examine and check the configuration value available in the Anonymous access level column. If the configuration value is set to Container, the blob container's data can be read by anonymous request. Therefore, the anonymous (public) access to the selected Microsoft Azure Storage blob container is not disabled.

08 Repeat step no. 7 for each blob container provisioned within the selected Azure Storage account.

09 Repeat steps no. 5 – 8 for each Azure Storage account created in the selected subscription.

10 Repeat steps no. 3 – 9 for each Azure subscription available within your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run storage account list command (Windows/macOS/Linux) with custom output filters to describe the identifier (name) of each storage account provisioned in the selected subscription:

az storage account list
	--query '[*].name'

05 The command output should return the requested storage account names:

[
	"project5storageaccount",
	"cloudaistorageaccount"
]

06 Run storage container list command (Windows/macOS/Linux) with the name of the Azure Storage account that you want to examine as the identifier parameter and custom output filters to list the blob containers available in the selected storage account:

az storage container list
	--account-name "project5storageaccount"
	--query '[*].name'

07 The command output should return the requested container names:

[
	"project5customerdata",
	"project5productdata"
]

08 Run storage container show command (Windows/macOS/Linux) with the name of the blob container that you want to examine as the identifier parameter to determine the anonymous access level set for the selected container:

az storage container show
	--name project5customerdata
	--account-name project5storageaccount
	--query 'properties.publicAccess'

09 The command output should return the name of the public access level configured for the selected container:

"container"

If the storage container show command output returns "container", as shown in the example above, the data available on the selected blob container can be read by anonymous request. Therefore, the anonymous (public) access to the selected Microsoft Azure Storage blob container is not disabled.

10 Repeat steps no. 8 and 9 for each blob container provisioned in the selected Azure Storage account.

11 Repeat steps no. 6 - 10 for each Azure Storage account available within the selected subscription.

12 Repeat steps no. 3 – 11 for each Azure subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To disable public (anonymous) access to the blob containers provisioned within your Microsoft Azure Storage account, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Storage account, and choose Apply to list only the storage accounts available in the selected Azure subscription.

05 Click on the name (link) of the storage account that you want to access.

06 In the resource navigation panel, under Data storage, choose Containers to access the blob containers provisioned for the selected storage account.

07 Select the blob container that you want to configure, and choose Change access level to configure the public (anonymous) access level for the selected resource. There are three levels of public access: Private (no anonymous access), Blob (anonymous read access for blobs only), and Container (anonymous read access for containers and blobs).

08 In the Change access level configuration box, select Private (no anonymous access) from the Anonymous access level setting dropdown list to disable anonymous (public) access for the selected blob container. Choose OK to apply the configuration changes. If the Anonymous access level setting is inactive, the access level is set to Private (no anonymous access) by default because the public access is disabled at the storage account level.

09 Repeat steps no. 7 and 8 for each publicly accessible blob container provisioned for the selected Azure Storage account.

10 Repeat steps no. 5 – 9 for each Azure Storage account available within the selected subscription.

11 Repeat steps no. 3 – 10 for each Azure subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run storage container set-permission command (Windows/macOS/Linux) with the name of the blob container that you want to configure as the identifier parameter, to disable public (anonymous) access to the selected blob container by setting the --public-access command parameter to off. There are three levels of public access: Private (no anonymous access) - --public-access off, Blob (anonymous read access for blobs only) - --public-access blob, and Container (anonymous read access for containers and blobs) - --public-access container:

az storage container set-permission
	--name project5customerdata
	--account-name project5storageaccount
	--public-access off

05 The output should return the storage container set-permission command request metadata:

{
	"client_request_id": "abcd1234-abcd-1234-abcd-abcd1234abcd",
	"date": "2025-03-10T11:00:00+00:00",
	"last_modified": "2025-03-10T11:00:01+00:00",
	"request_id": "1234abcd-abcd-1234-abcd-abcd1234abcd",
	"version": "2022-11-02"
}

06 Repeat steps no. 4 and 5 for each publicly accessible blob container provisioned for the selected Azure Storage account.

07 Repeat steps no. 4 - 6 for each Azure Storage account available within the selected subscription.

08 Repeat step no. 3 – 7 for each Azure subscription created in your Microsoft Azure cloud account.

References

Publication date Jun 12, 2019