I was teaching an Azure developer course last week when one of the delegates had issues building some C# code that I tested a few days before. The error message “Public Blob not allowed on this storage account“.
My first stop was to review Azure policy and see if there is an offending policy assigned. Nothing! Okay. What about resource locks? Nothing! What about the permissions of the authenticated user? All good! What?! I didn’t know of another way to prevent public blobs in a storage account outside of this. Are we using the client library incorrectly I thought? But I quickly remembered that same code ran successfully few days before.
I started to poke around then I found this gem here (under Storage Account –> Configuration):
Microsoft must have released this silently in recent times as I could not find any documentation on it. But here is what I found about it so far
1. Configuring this option disables the ability to create anonymous containers and blobs in the storage account. The option will be greyed out if you use the portal and automated tools will fail with a variant of the “Public Blob not allowed on this storage account” error.
2. What if I enable this option on a storage account that already has anonymous containers and blobs? The setting will just disable this access. You’ll get an error mesage similar to this:
3. Is there a way for me to audit this or configure this on a subscription level? Yes THERE SHOULD BE (the key word being SHOULD) but my test showed that the APIs seems not to be updated yet. In any case, once the APIs are updated, I already wrote a policy template that could be used to detect this. It can be found in my GitHub account here (I’ll update this page once Microsoft actually updates the API): https://github.com/davidokeyode/charis-cloud-azure-policy/tree/master/storage/storage-account-public-blob
Overall, I think this is great progress for Azure Storage security and I’ll definitely be including it in my Azure security assessment projects going forward! This will also resolve this long running feature request – https://feedback.azure.com/forums/217298-storage/suggestions/34242376-azure-policy-for-preventing-public-blob-containers