In this article, we’ll walk you through the steps to create an Azure Policy that prevents users from creating storage accounts with public blob access.
Public blob access in Azure storage accounts can expose your data to the internet, making it vulnerable to unauthorized access and other security risks. To prevent this, it’s important to restrict users from creating storage accounts with public blob access.
One way to achieve this is by using Azure Policy, a service that helps you enforce rules and regulations for your Azure resources.
By the end of this tutorial, you’ll have a better understanding of how Azure Policy works and how you can use it to enforce security and compliance in your Azure environment.
Before we configure the Azure Policy, let’s first understand how to restrict the users from creating the Blob Containers with public access enabled.
New Storage Accounts
For all new Storage Accounts, while creating it, navigate to the Advanced tab, uncheck the Allow enabling public access on containers as shown below.
Existing Storage Accounts
In case, if you would like to implement it for existing Storage Accounts, navigate to the Configuration blade and select the Disabled option for Allow Blob public access as shown below.
Once the option is disabled, you will not be able to create the container with public access. As shown below the Public access Level dropdown has beendisabled.
It’s a good practice to disable the Public Access for Containers to all Storage Accounts using the options explained above. However, sometimes, it’s possible that you might miss changing this option.
As part of Compliance and governance, in order to prevent this, we can leverage Azure Policies to restrict any user from creating a Storage Account. Let’s learn how to create a policy and implement the same.
Configure Azure Policy
Search for Policy in the Search bar and navigate to the Definitions and then select Storage in the Categories dropdown as shown below.
Selecting the Storage category will filter and displays all the policies related to the Storage Account. Scroll down a little and select Storage account public access should be disallowed (currently in preview) as shown below.
Clicking on the Storage account public access should be disallowed (currently in preview) will take you to the next page where you need to assign it to the scope (Management Group / Subscription/Resource Group etc).
Click on the Assign button which opens up another page where you can select the Scope as shown below.
Clicking on the button opens up the Scope popup where you can choose either the Management Group or a Subscription and Resource Group. In my case, I have selected a Subscription and clicked on the Select button as shown below.
Navigate to the Parameters section, uncheck the Only show parameters that need input or review checkbox which opens up the Effect dropdown where you need to select Deny option as shown below.
Click on Review + Create button and optionally review the other optional steps and configure the policy as per you needs.
It might take 30 minutes to take effect. You can navigate to the Assignments section and check if the policy has been assigned to the scope as shown below.
Going forward, no one can create a Storage Account with Allow enabling public access on containers enabled either from the portal or by any other means (like CLI/PowerShell etc). In such case Azure will throw an error as shown below
From the Portal
When you try to create the Storage Account from the portal with Allow enabling public access on containers enabled, you will receive an error Resource was disallowed by policy message as shown below.
Using Azure CLI
As shown below, if you try to create a Container with public access using Azure CLI (or any SDK) you will receive an error with the message Public access is not permitted on this storage account as shown below.
In this article, we have learnt how to prevent users from creating a storage account with Public Blob access denied.
Do you like this article? If you want to get more updates about these kind of articles, you can join my Learning Groups