Azure Storage Accounts Has Blob Container(s) With Public Access

'Public access level' allows you to grant anonymous/public read access to a container and the blobs within Azure blob storage. By doing so, you can grant read-only access to these resources without sharing your account key, and without requiring a shared access signature. This policy identifies blob containers within an Azure storage account that allow anonymous/public access ('CONTAINER' or 'BLOB'). As a best practice, do not allow anonymous/public access to blob containers unless you have a very good reason. Instead, you should consider using a shared access signature token for providing controlled and time-limited access to blob containers.

Policy Details

Policy Subtype
Run, Build
Template Type

Build Rules

Azure storage accounts has blob container(s) with public access.
JSON Query:
$.resource.*.azurerm_storage_blob size greater than 0 and $.resource.*.azurerm_storage_container size greater than 0 and $.resource.*.azurerm_storage_container[*].*.[*].container_access_type anyEqual blob or $.resource.*.azurerm_storage_container[*].*.[*].container_access_type anyEqual container
Recommended solution to ensure that storage account does not have blob container(s) with public access.
Ensure that Azure Storage Account does not have blob container(s) with public access. Please make sure the template has "container_access_type" set as "private".
For example:
"azurerm_storage_container": [ { "<storage_container_name>": [ { "container_access_type": "private", "name": "content" } ] } ]

Run Rule Recommendation

  1. Log in to the Azure portal.
  2. Select 'Storage Accounts'.
  3. Select the storage account you need to modify.
  4. Select 'Blobs'.
  5. Select the blob container you need to modify.
  6. Select 'Access Policy'.
  7. Set 'Public access level' to 'Private (no anonymous access)'.
  8. 'Save' your changes.


There are 4 standards that are applicable to this policy:
  • CIS v1.1 (Azure)
  • MITRE ATT&CK [Beta]
  • CCPA 2018

Recommended For You