How to disable anonymous public access for an Azure storage account
One security recommendation Microsoft established in Azure Security Center is to disable public access to storage accounts. In this post, I will show you how you can configure your storage account to prevent public access to an Azure storage account using PowerShell and the Azure CLI.
Microsoft recommends that you do not allow public access to a storage account unless anonymous access is strictly necessary.
Important: Disallowing public access for a storage account overrides the public access settings for all containers in your storage account.
Prerequisites #
- This tutorial assumes that you already have a Microsoft Azure account configured.
- You can use an existing Storage Account or create a new one. Check out this link if you want to know how to create a Storage Account using PowerShell.
Azure PowerShell Workaround #
Check out this link if you want to know how to install the PowerShell Azure module on your machine. The simplest way to get started is to sign in interactively at the command line.
Connect-AzAccount
This cmdlet will bring up a dialog box prompting you for your email address and password associated with your Azure account. You can choose the default subscription if you have more than one associated with your mail account. To perform this task, we will use the following commands:
Get-AzSubscription
Select-AzSubscription -Subscription "My Subscription"
Once you set your default subscription, you are ready to start.
Set the variables #
Here, we define the characteristics of our environment and the resource’s properties.
$resourceGroupName = "RG-DEMO-WE"
$stoAccountName = "stoaccdemo"
Get the current setting in your storage account #
To get the current settings for your storage account, you should use the Get-AzStorageAccount cmdlet with the following syntax.
(Get-AzStorageAccount -Name $stoAccountName -ResourceGroupName $resourceGroupName ).AllowBlobPublicAccess
Disable public access on your Azure storage account #
To change the value of the property AllowBlobPublicAccess, you should use the Set-AzStorageAccount cmdlet with the following syntax.
Set-AzStorageAccount `
-AccountName $stoAccountName `
-ResourceGroupName $resourceGroupName `
-AllowBlobPublicAccess $false
Verify the changes made #
Finally, you should use the following command to verify that the change has been made correctly.
(Get-AzStorageAccount -Name $stoAccountName -ResourceGroupName $resourceGroupName ).AllowBlobPublicAccess
Azure CLI Workaround #
In this case, we will use Azure Cloud Shell, a browser-based shell built into Azure Portal. This allows us to use the Azure command-line tools (Azure CLI and Azure PowerShell) directly from a browser. If you want to know more about Azure Cloud Shell, check out this link. First, we define the characteristics of our environment and store the values in variables.
resourceGroupName="RG-DEMO-WE"
stoAccountName="stoaccdemo"
Get the current setting in your Azure storage account #
To get the current settings for your storage account, you should use the following command.
az storage account show \
--name $stoAccountName \
--resource-group $resourceGroupName \
--query allowBlobPublicAccess
Disable public access to your storage account #
To change the value of the property AllowBlobPublicAccess, you should use the following command.
az storage account update \
--name $stoAccountName \
--resource-group $resourceGroupName \
--allow-blob-public-access false
Verify the changes made #
Finally, you should use the following command to verify that the change has been made correctly.
az storage account show \
--name $stoAccountName \
--resource-group $resourceGroupName \
--query allowBlobPublicAccess
Thanks for reading my post. I hope you find it helpful. If you want to know more about Security recommendations for Azure storage accounts, check out this link.