Azure Policy - Check Blob container access level

0
votes

I am creating a policy to check if the Blob container access level is set to "Anonymous" in Azure Storage accounts.

This is the policy that i have created.

{
    "properties": {
        "displayName": "check if Blob container access level is set to Anonymous",
        "description": "check the container access level",
        "mode": "all",
        "policyRule": {
                "if": {
                  "allOf": [
                    {
                      "field": "type",
                      "equals": "Microsoft.Storage/storageAccounts/blobServices/containers"
                    },
                    {
                      "not": {
                        "field": "Microsoft.Storage/storageAccounts/containers/publicAccess",
                        "equals": "False"
                      }
                    }
                  ]
                },
                "then": {
                  "effect": "Audit"
                }
              }
            }
}

Its not able to detect the container access level.

1
azureazure-storageazure-storage-blobsazure-policy
Seems like you have hit an open issue with Azure. Please refer to github.com/Azure/azure-policy#known-issues for details. Workaround(works for ARM only) is available at: github.com/Azure/azure-policy/issues/377#issuecomment-492040697humblebee

1 Answers

0
votes

As the issue said, Storage team is releasing public access setting on storage account towards Jun 30 2020. Customers can use it to control the public access on all containers in the storage account.

After it's released on storage, we will work with Azure Policy team to integrate the setting with Azure Policy so customers can us Azure Policy to audit and govern public access across storage accounts.

We work the best to ship above features and capabilities as early as possible.