Governance Anti Patterns Storage - Azure/az-prototype GitHub Wiki

Storage

Storage account access and data exposure detection

Domain: storage

Checks (2)

Check Description
ANTI-STOR-001 Storage account shared key access enabled — disable shared key and use Entra ID RBAC with managed identity.
ANTI-STOR-002 Blob public access enabled — set allowBlobPublicAccess = false.

ANTI-STOR-001

Storage account shared key access enabled — disable shared key and use Entra ID RBAC with managed identity.

Rationale: Shared key authentication is a legacy pattern that bypasses Entra ID conditional access, PIM, and per-identity audit trails.
Agents: terraform-agent, bicep-agent

Targets

Services Triggers On Correct Patterns
  • Microsoft.Storage/storageAccounts
  • 'account-level keys'
  • 'account_key_enabled'
  • 'shared_key_access = true'
  • 'shared_access_key_enabled = false'
  • 'allowSharedKeyAccess = false'
  • '# Use Microsoft Entra RBAC with managed identity'

ANTI-STOR-002

Blob public access enabled — set allowBlobPublicAccess = false.

Rationale: Public blob access allows anonymous internet users to read container contents without any authentication.
Agents: terraform-agent, bicep-agent

Targets

Services Triggers On Correct Patterns
  • Microsoft.Storage/storageAccounts
  • 'allow_blob_public_access = true'
  • 'public_access = "blob"'
  • 'public_access = "container"'
  • 'allow_blob_public_access = false'
  • 'allowBlobPublicAccess = false'
  • 'public_access = "none"'
⚠️ **GitHub.com Fallback** ⚠️