Storage Blob Service Container With Public Access

  • Query id: a0ab985d-660b-41f7-ac81-70957ee8e627
  • Query name: Storage Blob Service Container With Public Access
  • Platform: AzureResourceManager
  • Severity: High
  • Category: Networking and Firewall
  • URL: Github

Description

Storage Blob Service Container should not publicly accessible
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - json file
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "2.0.0.0",
  "apiProfile": "2019-03-01-hybrid",
  "parameters": {},
  "variables": {},
  "functions": [],
  "resources": [
    {
      "name": "blob/container/example",
      "type": "Microsoft.Storage/storageAccounts/blobServices/containers",
      "apiVersion": "2021-02-01",
      "properties": {
        "denyEncryptionScopeOverride": true,
        "publicAccess": "Container",
        "metadata": {}
      },
      "resources": []
    }
  ],
  "outputs": {}
}
Positive test num. 2 - json file
{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "existingVNETName": {
      "type": "string",
      "metadata": {
        "description": "Name of the virtual network to use for cloud shell containers."
      }
    },
    "existingStorageSubnetName": {
      "type": "string",
      "metadata": {
        "description": "Name of the subnet to use for storage account."
      }
    },
    "existingContainerSubnetName": {
      "type": "string",
      "metadata": {
        "description": "Name of the subnet to use for cloud shell containers."
      }
    },
    "storageAccountName": {
      "type": "string",
      "metadata": {
        "description": "Name of the storage account in subnet."
      }
    },
    "location": {
      "type": "string",
      "defaultValue": "[resourceGroup().location]",
      "metadata": {
        "description": "Location for all resources."
      }
    }
  },
  "variables": {
    "containerSubnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('existingVNETName'), parameters('existingContainerSubnetName'))]",
    "storageSubnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('existingVNETName'), parameters('existingStorageSubnetName'))]"
  },
  "resources": [
    {
      "type": "Microsoft.Storage/storageAccounts",
      "apiVersion": "2019-06-01",
      "name": "[parameters('storageAccountName')]",
      "location": "[parameters('location')]",
      "sku": {
        "name": "Standard_LRS",
        "tier": "Standard"
      },
      "kind": "StorageV2",
      "properties": {
        "networkAcls": {
          "bypass": "None",
          "virtualNetworkRules": [
            {
              "id": "[variables('containerSubnetRef')]",
              "action": "Allow"
            },
            {
              "id": "[variables('storageSubnetRef')]",
              "action": "Allow"
            }
          ],
          "defaultAction": "Deny"
        },
        "supportsHttpsTrafficOnly": true,
        "encryption": {
          "services": {
            "file": {
              "keyType": "Account",
              "enabled": true
            },
            "blob": {
              "keyType": "Account",
              "enabled": true
            }
          },
          "keySource": "Microsoft.Storage"
        },
        "accessTier": "Cool"
      }
    },
    {
      "type": "Microsoft.Storage/storageAccounts/blobServices",
      "apiVersion": "2019-06-01",
      "name": "[concat(parameters('storageAccountName'), '/default')]",
      "dependsOn": [
        "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
      ],
      "sku": {
        "name": "Standard_LRS",
        "tier": "Standard"
      },
      "properties": {
        "deleteRetentionPolicy": {
          "enabled": false
        }
      },
      "resources": [
        {
          "type": "containers",
          "apiVersion": "2019-06-01",
          "name": "container",
          "properties": {
            "denyEncryptionScopeOverride": true,
            "publicAccess": "Blob",
            "metadata": {}
          }
        }
      ]
    }
  ]
}
Positive test num. 3 - json file
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "storageAccountName": {
      "type": "string",
      "metadata": {
        "description": "Specifies the name of the Azure Storage account."
      }
    },
    "containerName": {
      "type": "string",
      "defaultValue": "logs",
      "metadata": {
        "description": "Specifies the name of the blob container."
      }
    },
    "location": {
      "type": "string",
      "defaultValue": "[resourceGroup().location]",
      "metadata": {
        "description": "Specifies the location in which the Azure Storage resources should be deployed."
      }
    }
  },
  "resources": [
    {
      "type": "Microsoft.Storage/storageAccounts",
      "apiVersion": "2019-06-01",
      "name": "[parameters('storageAccountName')]",
      "location": "[parameters('location')]",
      "sku": {
        "name": "Standard_LRS",
        "tier": "Standard"
      },
      "kind": "StorageV2",
      "properties": {
        "accessTier": "Hot"
      },
      "resources": [
        {
          "type": "blobServices/containers",
          "apiVersion": "2019-06-01",
          "name": "[concat('default/', parameters('containerName'))]",
          "dependsOn": [
            "[parameters('storageAccountName')]"
          ],
          "properties": {
            "denyEncryptionScopeOverride": true,
            "publicAccess": "Blob",
            "metadata": {}
          }
        }
      ]
    }
  ]
}

Positive test num. 4 - json file
{
  "properties": {
    "template": {
      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "2.0.0.0",
      "apiProfile": "2019-03-01-hybrid",
      "parameters": {},
      "variables": {},
      "functions": [],
      "resources": [
        {
          "name": "blob/container/example",
          "type": "Microsoft.Storage/storageAccounts/blobServices/containers",
          "apiVersion": "2021-02-01",
          "properties": {
            "denyEncryptionScopeOverride": true,
            "publicAccess": "Container",
            "metadata": {}
          },
          "resources": []
        }
      ],
      "outputs": {}
    },
    "resourceGroup": "storageRG",
    "parameters": {
      "storageAccountType": {
        "value": "[parameters('storageAccountType')]"
      }
    }
  },
  "kind": "template",
  "id": "/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint/artifacts/storageTemplate",
  "type": "Microsoft.Blueprint/blueprints/artifacts",
  "name": "storageTemplate"
}
Positive test num. 5 - json file
{
  "properties": {
    "template": {
      "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
      "contentVersion": "1.0.0.0",
      "parameters": {
        "existingVNETName": {
          "type": "string",
          "metadata": {
            "description": "Name of the virtual network to use for cloud shell containers."
          }
        },
        "existingStorageSubnetName": {
          "type": "string",
          "metadata": {
            "description": "Name of the subnet to use for storage account."
          }
        },
        "existingContainerSubnetName": {
          "type": "string",
          "metadata": {
            "description": "Name of the subnet to use for cloud shell containers."
          }
        },
        "storageAccountName": {
          "type": "string",
          "metadata": {
            "description": "Name of the storage account in subnet."
          }
        },
        "location": {
          "type": "string",
          "defaultValue": "[resourceGroup().location]",
          "metadata": {
            "description": "Location for all resources."
          }
        }
      },
      "variables": {
        "containerSubnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('existingVNETName'), parameters('existingContainerSubnetName'))]",
        "storageSubnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('existingVNETName'), parameters('existingStorageSubnetName'))]"
      },
      "resources": [
        {
          "type": "Microsoft.Storage/storageAccounts",
          "apiVersion": "2019-06-01",
          "name": "[parameters('storageAccountName')]",
          "location": "[parameters('location')]",
          "sku": {
            "name": "Standard_LRS",
            "tier": "Standard"
          },
          "kind": "StorageV2",
          "properties": {
            "networkAcls": {
              "bypass": "None",
              "virtualNetworkRules": [
                {
                  "id": "[variables('containerSubnetRef')]",
                  "action": "Allow"
                },
                {
                  "id": "[variables('storageSubnetRef')]",
                  "action": "Allow"
                }
              ],
              "defaultAction": "Deny"
            },
            "supportsHttpsTrafficOnly": true,
            "encryption": {
              "services": {
                "file": {
                  "keyType": "Account",
                  "enabled": true
                },
                "blob": {
                  "keyType": "Account",
                  "enabled": true
                }
              },
              "keySource": "Microsoft.Storage"
            },
            "accessTier": "Cool"
          }
        },
        {
          "type": "Microsoft.Storage/storageAccounts/blobServices",
          "apiVersion": "2019-06-01",
          "name": "[concat(parameters('storageAccountName'), '/default')]",
          "dependsOn": [
            "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
          ],
          "sku": {
            "name": "Standard_LRS",
            "tier": "Standard"
          },
          "properties": {
            "deleteRetentionPolicy": {
              "enabled": false
            }
          },
          "resources": [
            {
              "type": "containers",
              "apiVersion": "2019-06-01",
              "name": "container",
              "properties": {
                "denyEncryptionScopeOverride": true,
                "publicAccess": "Blob",
                "metadata": {}
              }
            }
          ]
        }
      ]
    },
    "resourceGroup": "storageRG",
    "parameters": {
      "storageAccountType": {
        "value": "[parameters('storageAccountType')]"
      }
    }
  },
  "kind": "template",
  "id": "/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint/artifacts/storageTemplate",
  "type": "Microsoft.Blueprint/blueprints/artifacts",
  "name": "storageTemplate"
}
Positive test num. 6 - json file
{
  "properties": {
    "template": {
      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "1.0.0.0",
      "parameters": {
        "storageAccountName": {
          "type": "string",
          "metadata": {
            "description": "Specifies the name of the Azure Storage account."
          }
        },
        "containerName": {
          "type": "string",
          "defaultValue": "logs",
          "metadata": {
            "description": "Specifies the name of the blob container."
          }
        },
        "location": {
          "type": "string",
          "defaultValue": "[resourceGroup().location]",
          "metadata": {
            "description": "Specifies the location in which the Azure Storage resources should be deployed."
          }
        }
      },
      "resources": [
        {
          "type": "Microsoft.Storage/storageAccounts",
          "apiVersion": "2019-06-01",
          "name": "[parameters('storageAccountName')]",
          "location": "[parameters('location')]",
          "sku": {
            "name": "Standard_LRS",
            "tier": "Standard"
          },
          "kind": "StorageV2",
          "properties": {
            "accessTier": "Hot"
          },
          "resources": [
            {
              "type": "blobServices/containers",
              "apiVersion": "2019-06-01",
              "name": "[concat('default/', parameters('containerName'))]",
              "dependsOn": [
                "[parameters('storageAccountName')]"
              ],
              "properties": {
                "denyEncryptionScopeOverride": true,
                "publicAccess": "Blob",
                "metadata": {}
              }
            }
          ]
        }
      ]
    },
    "resourceGroup": "storageRG",
    "parameters": {
      "storageAccountType": {
        "value": "[parameters('storageAccountType')]"
      }
    }
  },
  "kind": "template",
  "id": "/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint/artifacts/storageTemplate",
  "type": "Microsoft.Blueprint/blueprints/artifacts",
  "name": "storageTemplate"
}

Code samples without security vulnerabilities

Negative test num. 1 - json file
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "2.0.0.0",
  "apiProfile": "2019-03-01-hybrid",
  "parameters": {},
  "variables": {},
  "functions": [],
  "resources": [
    {
      "name": "blob/container/example",
      "type": "Microsoft.Storage/storageAccounts/blobServices/containers",
      "apiVersion": "2021-02-01",
      "properties": {
        "denyEncryptionScopeOverride": true,
        "publicAccess": "None",
        "metadata": {}
      },
      "resources": []
    }
  ],
  "outputs": {}
}
Negative test num. 2 - json file
{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "existingVNETName": {
      "type": "string",
      "metadata": {
        "description": "Name of the virtual network to use for cloud shell containers."
      }
    },
    "existingStorageSubnetName": {
      "type": "string",
      "metadata": {
        "description": "Name of the subnet to use for storage account."
      }
    },
    "existingContainerSubnetName": {
      "type": "string",
      "metadata": {
        "description": "Name of the subnet to use for cloud shell containers."
      }
    },
    "storageAccountName": {
      "type": "string",
      "metadata": {
        "description": "Name of the storage account in subnet."
      }
    },
    "location": {
      "type": "string",
      "defaultValue": "[resourceGroup().location]",
      "metadata": {
        "description": "Location for all resources."
      }
    }
  },
  "variables": {
    "containerSubnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('existingVNETName'), parameters('existingContainerSubnetName'))]",
    "storageSubnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('existingVNETName'), parameters('existingStorageSubnetName'))]"
  },
  "resources": [
    {
      "type": "Microsoft.Storage/storageAccounts",
      "apiVersion": "2019-06-01",
      "name": "[parameters('storageAccountName')]",
      "location": "[parameters('location')]",
      "sku": {
        "name": "Standard_LRS",
        "tier": "Standard"
      },
      "kind": "StorageV2",
      "properties": {
        "networkAcls": {
          "bypass": "None",
          "virtualNetworkRules": [
            {
              "id": "[variables('containerSubnetRef')]",
              "action": "Allow"
            },
            {
              "id": "[variables('storageSubnetRef')]",
              "action": "Allow"
            }
          ],
          "defaultAction": "Deny"
        },
        "supportsHttpsTrafficOnly": true,
        "encryption": {
          "services": {
            "file": {
              "keyType": "Account",
              "enabled": true
            },
            "blob": {
              "keyType": "Account",
              "enabled": true
            }
          },
          "keySource": "Microsoft.Storage"
        },
        "accessTier": "Cool"
      }
    },
    {
      "type": "Microsoft.Storage/storageAccounts/blobServices",
      "apiVersion": "2019-06-01",
      "name": "[concat(parameters('storageAccountName'), '/default')]",
      "dependsOn": [
        "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
      ],
      "sku": {
        "name": "Standard_LRS",
        "tier": "Standard"
      },
      "properties": {
        "deleteRetentionPolicy": {
          "enabled": false
        }
      },
      "resources": [
        {
          "type": "containers",
          "apiVersion": "2019-06-01",
          "name": "container",
          "properties": {
            "denyEncryptionScopeOverride": true,
            "publicAccess": "None",
            "metadata": {}
          }
        }
      ]
    }
  ]
}
Negative test num. 3 - json file
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "storageAccountName": {
      "type": "string",
      "metadata": {
        "description": "Specifies the name of the Azure Storage account."
      }
    },
    "containerName": {
      "type": "string",
      "defaultValue": "logs",
      "metadata": {
        "description": "Specifies the name of the blob container."
      }
    },
    "location": {
      "type": "string",
      "defaultValue": "[resourceGroup().location]",
      "metadata": {
        "description": "Specifies the location in which the Azure Storage resources should be deployed."
      }
    }
  },
  "resources": [
    {
      "type": "Microsoft.Storage/storageAccounts",
      "apiVersion": "2019-06-01",
      "name": "[parameters('storageAccountName')]",
      "location": "[parameters('location')]",
      "sku": {
        "name": "Standard_LRS",
        "tier": "Standard"
      },
      "kind": "StorageV2",
      "properties": {
        "accessTier": "Hot"
      },
      "resources": [
        {
          "type": "blobServices/containers",
          "apiVersion": "2019-06-01",
          "name": "[concat('default/', parameters('containerName'))]",
          "dependsOn": [
            "[parameters('storageAccountName')]"
          ],
          "properties": {
            "denyEncryptionScopeOverride": true,
            "publicAccess": "None",
            "metadata": {}
          }
        }
      ]
    }
  ]
}

Negative test num. 4 - json file
{
  "properties": {
    "template": {
      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "2.0.0.0",
      "apiProfile": "2019-03-01-hybrid",
      "parameters": {},
      "variables": {},
      "functions": [],
      "resources": [
        {
          "name": "blob/container/example",
          "type": "Microsoft.Storage/storageAccounts/blobServices/containers",
          "apiVersion": "2021-02-01",
          "properties": {
            "denyEncryptionScopeOverride": true,
            "publicAccess": "None",
            "metadata": {}
          },
          "resources": []
        }
      ],
      "outputs": {}
    },
    "resourceGroup": "storageRG",
    "parameters": {
      "storageAccountType": {
        "value": "[parameters('storageAccountType')]"
      }
    }
  },
  "kind": "template",
  "id": "/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint/artifacts/storageTemplate",
  "type": "Microsoft.Blueprint/blueprints/artifacts",
  "name": "storageTemplate"
}
Negative test num. 5 - json file
{
  "properties": {
    "template": {
      "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
      "contentVersion": "1.0.0.0",
      "parameters": {
        "existingVNETName": {
          "type": "string",
          "metadata": {
            "description": "Name of the virtual network to use for cloud shell containers."
          }
        },
        "existingStorageSubnetName": {
          "type": "string",
          "metadata": {
            "description": "Name of the subnet to use for storage account."
          }
        },
        "existingContainerSubnetName": {
          "type": "string",
          "metadata": {
            "description": "Name of the subnet to use for cloud shell containers."
          }
        },
        "storageAccountName": {
          "type": "string",
          "metadata": {
            "description": "Name of the storage account in subnet."
          }
        },
        "location": {
          "type": "string",
          "defaultValue": "[resourceGroup().location]",
          "metadata": {
            "description": "Location for all resources."
          }
        }
      },
      "variables": {
        "containerSubnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('existingVNETName'), parameters('existingContainerSubnetName'))]",
        "storageSubnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('existingVNETName'), parameters('existingStorageSubnetName'))]"
      },
      "resources": [
        {
          "type": "Microsoft.Storage/storageAccounts",
          "apiVersion": "2019-06-01",
          "name": "[parameters('storageAccountName')]",
          "location": "[parameters('location')]",
          "sku": {
            "name": "Standard_LRS",
            "tier": "Standard"
          },
          "kind": "StorageV2",
          "properties": {
            "networkAcls": {
              "bypass": "None",
              "virtualNetworkRules": [
                {
                  "id": "[variables('containerSubnetRef')]",
                  "action": "Allow"
                },
                {
                  "id": "[variables('storageSubnetRef')]",
                  "action": "Allow"
                }
              ],
              "defaultAction": "Deny"
            },
            "supportsHttpsTrafficOnly": true,
            "encryption": {
              "services": {
                "file": {
                  "keyType": "Account",
                  "enabled": true
                },
                "blob": {
                  "keyType": "Account",
                  "enabled": true
                }
              },
              "keySource": "Microsoft.Storage"
            },
            "accessTier": "Cool"
          }
        },
        {
          "type": "Microsoft.Storage/storageAccounts/blobServices",
          "apiVersion": "2019-06-01",
          "name": "[concat(parameters('storageAccountName'), '/default')]",
          "dependsOn": [
            "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
          ],
          "sku": {
            "name": "Standard_LRS",
            "tier": "Standard"
          },
          "properties": {
            "deleteRetentionPolicy": {
              "enabled": false
            }
          },
          "resources": [
            {
              "type": "containers",
              "apiVersion": "2019-06-01",
              "name": "container",
              "properties": {
                "denyEncryptionScopeOverride": true,
                "publicAccess": "None",
                "metadata": {}
              }
            }
          ]
        }
      ]
    },
    "resourceGroup": "storageRG",
    "parameters": {
      "storageAccountType": {
        "value": "[parameters('storageAccountType')]"
      }
    }
  },
  "kind": "template",
  "id": "/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint/artifacts/storageTemplate",
  "type": "Microsoft.Blueprint/blueprints/artifacts",
  "name": "storageTemplate"
}
Negative test num. 6 - json file
{
  "properties": {
    "template": {
      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "1.0.0.0",
      "parameters": {
        "storageAccountName": {
          "type": "string",
          "metadata": {
            "description": "Specifies the name of the Azure Storage account."
          }
        },
        "containerName": {
          "type": "string",
          "defaultValue": "logs",
          "metadata": {
            "description": "Specifies the name of the blob container."
          }
        },
        "location": {
          "type": "string",
          "defaultValue": "[resourceGroup().location]",
          "metadata": {
            "description": "Specifies the location in which the Azure Storage resources should be deployed."
          }
        }
      },
      "resources": [
        {
          "type": "Microsoft.Storage/storageAccounts",
          "apiVersion": "2019-06-01",
          "name": "[parameters('storageAccountName')]",
          "location": "[parameters('location')]",
          "sku": {
            "name": "Standard_LRS",
            "tier": "Standard"
          },
          "kind": "StorageV2",
          "properties": {
            "accessTier": "Hot"
          },
          "resources": [
            {
              "type": "blobServices/containers",
              "apiVersion": "2019-06-01",
              "name": "[concat('default/', parameters('containerName'))]",
              "dependsOn": [
                "[parameters('storageAccountName')]"
              ],
              "properties": {
                "denyEncryptionScopeOverride": true,
                "publicAccess": "None",
                "metadata": {}
              }
            }
          ]
        }
      ]
    },
    "resourceGroup": "storageRG",
    "parameters": {
      "storageAccountType": {
        "value": "[parameters('storageAccountType')]"
      }
    }
  },
  "kind": "template",
  "id": "/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint/artifacts/storageTemplate",
  "type": "Microsoft.Blueprint/blueprints/artifacts",
  "name": "storageTemplate"
}