26 JUL
There are serious and tremendous cloud data leaks every year. Different cloud providers supplies different solutions to protect its storage service. I will compare them in the later article. For today, I will try to introduce the Azure policy to protect Azure storage from public access.
In Azure Storage, for a long period of time, there is no REST ARM API for containers. This means that Azure policy couldn’t do anything on the data plan for Azure containers. Sounds familiar? Yes. Only a few services such as Key Vaults supplies the data plan control on the policy level. But things are changing and getting better now. We will see more controls for the policy to take on the data plan.
Azure Policy
Long term short, there is a new alias for container as following:
Microsoft.Storage/storageAccounts/allowBlobPublicAccess
With this alias, we can audit and prevent the storage in Azure easily. I will take container service as an example here.
Compliance and Control
You can deploy the policy via certain mode to control the storage compliance check and remediation. Here is an example of audit policy which shows the compliance status.