last sync: 2021-Oct-25 16:02:14 UTC

Azure Policy definition

[Preview]: Storage account public access should be disallowed

Name [Preview]: Storage account public access should be disallowed
Azure Portal
Id 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751
Version 3.0.1-preview
details on versioning
Category Storage
Microsoft docs
Description Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.
Mode Indexed
Type BuiltIn
Preview True
Deprecated FALSE
Effect Default: audit
Allowed: (audit, deny, disabled)
Used RBAC Role none
History
Date/Time (UTC ymd) (i) Change type Change detail
2021-08-30 14:27:30 change Major, suffix remains equal (2.0.1-preview > 3.0.1-preview)
2020-12-11 15:42:52 change Patch, suffix remains equal (2.0.0-preview > 2.0.1-preview)
2020-11-10 16:00:42 change Major, suffix remains equal (1.0.1-preview > 2.0.0-preview)
2020-08-27 15:39:26 add 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751
Used in Initiatives
Initiative DisplayName Initiative Id Initiative Category State
[Deprecated]: Azure Security Benchmark v2 bb522ac1-bc39-4957-b194-429bcd3bcb0b Regulatory Compliance Deprecated
[Preview]: CMMC Level 3 b5629c75-5c77-4422-87b9-2509e680f8de Regulatory Compliance Preview
[Preview]: NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance Preview
Azure Security Benchmark 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 Security Center GA
CIS Microsoft Azure Foundations Benchmark v1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d Regulatory Compliance GA
CIS Microsoft Azure Foundations Benchmark v1.3.0 612b5213-9160-4969-8578-1518bd2a000c Regulatory Compliance GA
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA
JSON Changes

JSON
{
  "displayName": "[Preview]: Storage account public access should be disallowed",
  "policyType": "BuiltIn",
  "mode": "Indexed",
  "description": "Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.",
  "metadata": {
    "version": "3.0.1-preview",
    "category": "Storage",
    "preview": true
  },
  "parameters": {
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "The effect determines what happens when the policy rule is evaluated to match"
      },
      "allowedValues": [
        "audit",
        "deny",
        "disabled"
      ],
      "defaultValue": "audit"
    }
  },
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Storage/storageAccounts"
        },
        {
          "not": {
            "allOf": [
              {
                "field": "id",
                "contains": "/resourceGroups/aro-"
              },
              {
                "anyOf": [
                  {
                    "field": "name",
                    "like": "cluster*"
                  },
                  {
                    "field": "name",
                    "like": "imageregistry*"
                  }
                ]
              }
            ]
          }
        },
        {
          "not": {
            "field": "Microsoft.Storage/storageAccounts/allowBlobPublicAccess",
            "equals": "false"
          }
        }
      ]
    },
    "then": {
      "effect": "[parameters('effect')]"
    }
  }
}