Skip to content
This repository has been archived by the owner on Oct 24, 2023. It is now read-only.

Ensure VHD storage accounts are private #4985

Merged
merged 1 commit into from
Oct 19, 2022
Merged

Ensure VHD storage accounts are private #4985

merged 1 commit into from
Oct 19, 2022

Conversation

CecileRobertMichon
Copy link
Contributor

Reason for Change:

By default, Azure storage accounts are public.

Microsoft recommends to disallow public access to a storage account unless the scenario requires it. Disallowing public access helps to prevent data breaches caused by undesired anonymous access. More info: https://azure.microsoft.com/en-gb/updates/choose-to-allow-or-disallow-blob-public-access-on-azure-storage-accounts/

Issue Fixed:

Credit Where Due:

Does this change contain code from or inspired by another project?

  • No
  • Yes

If "Yes," did you notify that project's maintainers and provide attribution?

  • No
  • Yes

Requirements:

Notes:

@CecileRobertMichon
Copy link
Contributor Author

I don't believe any AKS Engine scenarios require blob public access for storage accounts and publishing should be fine since it uses a shared access signature to reach the containers but please let me know if you know otherwise.

jackfrancis
jackfrancis approved these changes Oct 19, 2022
View reviewed changes
Copy link
Member

@jackfrancis jackfrancis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@jackfrancis
Copy link
Member

@CecileRobertMichon VHD pipeline job passed and output looks good!:

creating new storage account aksimages166613721814017
{
  "accessTier": "Hot",
  "allowBlobPublicAccess": false,
  "allowCrossTenantReplication": null,
  "allowSharedKeyAccess": null,
  "azureFilesIdentityBasedAuthentication": null,
  "blobRestoreStatus": null,
  "creationTime": "2022-10-18T23:53:43.053473+00:00",
  "customDomain": null,
  "enableHttpsTrafficOnly": true,
  "enableNfsV3": null,
  "encryption": {
    "encryptionIdentity": null,
    "keySource": "Microsoft.Storage",
    "keyVaultProperties": null,
    "requireInfrastructureEncryption": null,
    "services": {
      "blob": {
        "enabled": true,
        "keyType": "Account",
        "lastEnabledTime": "2022-10-18T23:53:43.834726+00:00"
      },
      "file": {
        "enabled": true,
        "keyType": "Account",
        "lastEnabledTime": "2022-10-18T23:53:43.834726+00:00"
      },
      "queue": null,
      "table": null
    }
  },

("allowBlobPublicAccess": false in particular)

Thanks!

@jackfrancis jackfrancis merged commit 39bc727 into Azure:master Oct 19, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@jackfrancis jackfrancis jackfrancis approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@CecileRobertMichon @jackfrancis