Storage Blob Service Container With Public Access
- Query id: a0ab985d-660b-41f7-ac81-70957ee8e627
- Query name: Storage Blob Service Container With Public Access
- Platform: AzureResourceManager
- Severity: High
- Category: Networking and Firewall
- URL: Github
Description¶
Storage Blob Service Container should not publicly accessible
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "blob/container/example",
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2021-02-01",
"properties": {
"denyEncryptionScopeOverride": true,
"publicAccess": "Container",
"metadata": {}
},
"resources": []
}
],
"outputs": {}
}
Positive test num. 2 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"existingVNETName": {
"type": "string",
"metadata": {
"description": "Name of the virtual network to use for cloud shell containers."
}
},
"existingStorageSubnetName": {
"type": "string",
"metadata": {
"description": "Name of the subnet to use for storage account."
}
},
"existingContainerSubnetName": {
"type": "string",
"metadata": {
"description": "Name of the subnet to use for cloud shell containers."
}
},
"storageAccountName": {
"type": "string",
"metadata": {
"description": "Name of the storage account in subnet."
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
}
},
"variables": {
"containerSubnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('existingVNETName'), parameters('existingContainerSubnetName'))]",
"storageSubnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('existingVNETName'), parameters('existingStorageSubnetName'))]"
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"name": "[parameters('storageAccountName')]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"networkAcls": {
"bypass": "None",
"virtualNetworkRules": [
{
"id": "[variables('containerSubnetRef')]",
"action": "Allow"
},
{
"id": "[variables('storageSubnetRef')]",
"action": "Allow"
}
],
"defaultAction": "Deny"
},
"supportsHttpsTrafficOnly": true,
"encryption": {
"services": {
"file": {
"keyType": "Account",
"enabled": true
},
"blob": {
"keyType": "Account",
"enabled": true
}
},
"keySource": "Microsoft.Storage"
},
"accessTier": "Cool"
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices",
"apiVersion": "2019-06-01",
"name": "[concat(parameters('storageAccountName'), '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
],
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"properties": {
"deleteRetentionPolicy": {
"enabled": false
}
},
"resources": [
{
"type": "containers",
"apiVersion": "2019-06-01",
"name": "container",
"properties": {
"denyEncryptionScopeOverride": true,
"publicAccess": "Blob",
"metadata": {}
}
}
]
}
]
}
Positive test num. 3 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageAccountName": {
"type": "string",
"metadata": {
"description": "Specifies the name of the Azure Storage account."
}
},
"containerName": {
"type": "string",
"defaultValue": "logs",
"metadata": {
"description": "Specifies the name of the blob container."
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Specifies the location in which the Azure Storage resources should be deployed."
}
}
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"name": "[parameters('storageAccountName')]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"accessTier": "Hot"
},
"resources": [
{
"type": "blobServices/containers",
"apiVersion": "2019-06-01",
"name": "[concat('default/', parameters('containerName'))]",
"dependsOn": [
"[parameters('storageAccountName')]"
],
"properties": {
"denyEncryptionScopeOverride": true,
"publicAccess": "Blob",
"metadata": {}
}
}
]
}
]
}
Positive test num. 4 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "blob/container/example",
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2021-02-01",
"properties": {
"denyEncryptionScopeOverride": true,
"publicAccess": "Container",
"metadata": {}
},
"resources": []
}
],
"outputs": {}
},
"resourceGroup": "storageRG",
"parameters": {
"storageAccountType": {
"value": "[parameters('storageAccountType')]"
}
}
},
"kind": "template",
"id": "/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint/artifacts/storageTemplate",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "storageTemplate"
}
Positive test num. 5 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"existingVNETName": {
"type": "string",
"metadata": {
"description": "Name of the virtual network to use for cloud shell containers."
}
},
"existingStorageSubnetName": {
"type": "string",
"metadata": {
"description": "Name of the subnet to use for storage account."
}
},
"existingContainerSubnetName": {
"type": "string",
"metadata": {
"description": "Name of the subnet to use for cloud shell containers."
}
},
"storageAccountName": {
"type": "string",
"metadata": {
"description": "Name of the storage account in subnet."
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
}
},
"variables": {
"containerSubnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('existingVNETName'), parameters('existingContainerSubnetName'))]",
"storageSubnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('existingVNETName'), parameters('existingStorageSubnetName'))]"
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"name": "[parameters('storageAccountName')]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"networkAcls": {
"bypass": "None",
"virtualNetworkRules": [
{
"id": "[variables('containerSubnetRef')]",
"action": "Allow"
},
{
"id": "[variables('storageSubnetRef')]",
"action": "Allow"
}
],
"defaultAction": "Deny"
},
"supportsHttpsTrafficOnly": true,
"encryption": {
"services": {
"file": {
"keyType": "Account",
"enabled": true
},
"blob": {
"keyType": "Account",
"enabled": true
}
},
"keySource": "Microsoft.Storage"
},
"accessTier": "Cool"
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices",
"apiVersion": "2019-06-01",
"name": "[concat(parameters('storageAccountName'), '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
],
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"properties": {
"deleteRetentionPolicy": {
"enabled": false
}
},
"resources": [
{
"type": "containers",
"apiVersion": "2019-06-01",
"name": "container",
"properties": {
"denyEncryptionScopeOverride": true,
"publicAccess": "Blob",
"metadata": {}
}
}
]
}
]
},
"resourceGroup": "storageRG",
"parameters": {
"storageAccountType": {
"value": "[parameters('storageAccountType')]"
}
}
},
"kind": "template",
"id": "/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint/artifacts/storageTemplate",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "storageTemplate"
}
Positive test num. 6 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageAccountName": {
"type": "string",
"metadata": {
"description": "Specifies the name of the Azure Storage account."
}
},
"containerName": {
"type": "string",
"defaultValue": "logs",
"metadata": {
"description": "Specifies the name of the blob container."
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Specifies the location in which the Azure Storage resources should be deployed."
}
}
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"name": "[parameters('storageAccountName')]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"accessTier": "Hot"
},
"resources": [
{
"type": "blobServices/containers",
"apiVersion": "2019-06-01",
"name": "[concat('default/', parameters('containerName'))]",
"dependsOn": [
"[parameters('storageAccountName')]"
],
"properties": {
"denyEncryptionScopeOverride": true,
"publicAccess": "Blob",
"metadata": {}
}
}
]
}
]
},
"resourceGroup": "storageRG",
"parameters": {
"storageAccountType": {
"value": "[parameters('storageAccountType')]"
}
}
},
"kind": "template",
"id": "/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint/artifacts/storageTemplate",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "storageTemplate"
}
Code samples without security vulnerabilities¶
Negative test num. 1 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "blob/container/example",
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2021-02-01",
"properties": {
"denyEncryptionScopeOverride": true,
"publicAccess": "None",
"metadata": {}
},
"resources": []
}
],
"outputs": {}
}
Negative test num. 2 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"existingVNETName": {
"type": "string",
"metadata": {
"description": "Name of the virtual network to use for cloud shell containers."
}
},
"existingStorageSubnetName": {
"type": "string",
"metadata": {
"description": "Name of the subnet to use for storage account."
}
},
"existingContainerSubnetName": {
"type": "string",
"metadata": {
"description": "Name of the subnet to use for cloud shell containers."
}
},
"storageAccountName": {
"type": "string",
"metadata": {
"description": "Name of the storage account in subnet."
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
}
},
"variables": {
"containerSubnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('existingVNETName'), parameters('existingContainerSubnetName'))]",
"storageSubnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('existingVNETName'), parameters('existingStorageSubnetName'))]"
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"name": "[parameters('storageAccountName')]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"networkAcls": {
"bypass": "None",
"virtualNetworkRules": [
{
"id": "[variables('containerSubnetRef')]",
"action": "Allow"
},
{
"id": "[variables('storageSubnetRef')]",
"action": "Allow"
}
],
"defaultAction": "Deny"
},
"supportsHttpsTrafficOnly": true,
"encryption": {
"services": {
"file": {
"keyType": "Account",
"enabled": true
},
"blob": {
"keyType": "Account",
"enabled": true
}
},
"keySource": "Microsoft.Storage"
},
"accessTier": "Cool"
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices",
"apiVersion": "2019-06-01",
"name": "[concat(parameters('storageAccountName'), '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
],
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"properties": {
"deleteRetentionPolicy": {
"enabled": false
}
},
"resources": [
{
"type": "containers",
"apiVersion": "2019-06-01",
"name": "container",
"properties": {
"denyEncryptionScopeOverride": true,
"publicAccess": "None",
"metadata": {}
}
}
]
}
]
}
Negative test num. 3 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageAccountName": {
"type": "string",
"metadata": {
"description": "Specifies the name of the Azure Storage account."
}
},
"containerName": {
"type": "string",
"defaultValue": "logs",
"metadata": {
"description": "Specifies the name of the blob container."
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Specifies the location in which the Azure Storage resources should be deployed."
}
}
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"name": "[parameters('storageAccountName')]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"accessTier": "Hot"
},
"resources": [
{
"type": "blobServices/containers",
"apiVersion": "2019-06-01",
"name": "[concat('default/', parameters('containerName'))]",
"dependsOn": [
"[parameters('storageAccountName')]"
],
"properties": {
"denyEncryptionScopeOverride": true,
"publicAccess": "None",
"metadata": {}
}
}
]
}
]
}
Negative test num. 4 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "blob/container/example",
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2021-02-01",
"properties": {
"denyEncryptionScopeOverride": true,
"publicAccess": "None",
"metadata": {}
},
"resources": []
}
],
"outputs": {}
},
"resourceGroup": "storageRG",
"parameters": {
"storageAccountType": {
"value": "[parameters('storageAccountType')]"
}
}
},
"kind": "template",
"id": "/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint/artifacts/storageTemplate",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "storageTemplate"
}
Negative test num. 5 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"existingVNETName": {
"type": "string",
"metadata": {
"description": "Name of the virtual network to use for cloud shell containers."
}
},
"existingStorageSubnetName": {
"type": "string",
"metadata": {
"description": "Name of the subnet to use for storage account."
}
},
"existingContainerSubnetName": {
"type": "string",
"metadata": {
"description": "Name of the subnet to use for cloud shell containers."
}
},
"storageAccountName": {
"type": "string",
"metadata": {
"description": "Name of the storage account in subnet."
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
}
},
"variables": {
"containerSubnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('existingVNETName'), parameters('existingContainerSubnetName'))]",
"storageSubnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('existingVNETName'), parameters('existingStorageSubnetName'))]"
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"name": "[parameters('storageAccountName')]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"networkAcls": {
"bypass": "None",
"virtualNetworkRules": [
{
"id": "[variables('containerSubnetRef')]",
"action": "Allow"
},
{
"id": "[variables('storageSubnetRef')]",
"action": "Allow"
}
],
"defaultAction": "Deny"
},
"supportsHttpsTrafficOnly": true,
"encryption": {
"services": {
"file": {
"keyType": "Account",
"enabled": true
},
"blob": {
"keyType": "Account",
"enabled": true
}
},
"keySource": "Microsoft.Storage"
},
"accessTier": "Cool"
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices",
"apiVersion": "2019-06-01",
"name": "[concat(parameters('storageAccountName'), '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
],
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"properties": {
"deleteRetentionPolicy": {
"enabled": false
}
},
"resources": [
{
"type": "containers",
"apiVersion": "2019-06-01",
"name": "container",
"properties": {
"denyEncryptionScopeOverride": true,
"publicAccess": "None",
"metadata": {}
}
}
]
}
]
},
"resourceGroup": "storageRG",
"parameters": {
"storageAccountType": {
"value": "[parameters('storageAccountType')]"
}
}
},
"kind": "template",
"id": "/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint/artifacts/storageTemplate",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "storageTemplate"
}
Negative test num. 6 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageAccountName": {
"type": "string",
"metadata": {
"description": "Specifies the name of the Azure Storage account."
}
},
"containerName": {
"type": "string",
"defaultValue": "logs",
"metadata": {
"description": "Specifies the name of the blob container."
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Specifies the location in which the Azure Storage resources should be deployed."
}
}
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"name": "[parameters('storageAccountName')]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"accessTier": "Hot"
},
"resources": [
{
"type": "blobServices/containers",
"apiVersion": "2019-06-01",
"name": "[concat('default/', parameters('containerName'))]",
"dependsOn": [
"[parameters('storageAccountName')]"
],
"properties": {
"denyEncryptionScopeOverride": true,
"publicAccess": "None",
"metadata": {}
}
}
]
}
]
},
"resourceGroup": "storageRG",
"parameters": {
"storageAccountType": {
"value": "[parameters('storageAccountType')]"
}
}
},
"kind": "template",
"id": "/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint/artifacts/storageTemplate",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "storageTemplate"
}