阻止对容器和 Blob 的匿名公共读取访问Prevent anonymous public read access to containers and blobs

对 Azure 存储中的容器和 blob 进行匿名公共读取访问虽然是共享数据的一种简便方法,但也可能会带来安全风险。Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data, but may also present a security risk. 请务必谨慎管理匿名访问,并了解如何评估对数据的匿名访问。It's important to manage anonymous access judiciously and to understand how to evaluate anonymous access to your data. 操作复杂性、人为错误或对可公共访问的数据的恶意攻击可能会导致代价高昂的数据泄露。Operational complexity, human error, or malicious attack against data that is publicly accessible can result in costly data breaches. Azure 建议仅在必要时为应用程序方案启用匿名访问。Azure recommends that you enable anonymous access only when necessary for your application scenario.

默认情况下,始终会禁止对 blob 数据的公共访问。By default, public access to your blob data is always prohibited. 但是,存储帐户的默认配置允许具有适当权限的用户配置对存储帐户中的容器和 blob 的公共访问。However, the default configuration for a storage account permits a user with appropriate permissions to configure public access to containers and blobs in a storage account. 为增强安全性,无论单个容器的公共访问设置如何,都可以禁止对存储帐户的所有公共访问。For enhanced security, you can disallow all public access to storage account, regardless of the public access setting for an individual container. 禁止对存储帐户进行公共访问可以阻止用户启用帐户中的容器的公共访问权限。Disallowing public access to the storage account prevents a user from enabling public access for a container in the account. Azure 建议你禁止对存储帐户的公共访问,除非你的情况要求你进行公共访问。Azure recommends that you disallow public access to a storage account unless your scenario requires it. 禁止公共访问有助于防止意外的匿名访问产生的数据泄露。Disallowing public access helps to prevent data breaches caused by undesired anonymous access.

当你禁止对存储帐户的公共 blob 访问时,Azure 存储会拒绝对该帐户的所有匿名请求。When you disallow public blob access for the storage account, Azure Storage rejects all anonymous requests to that account. 禁止对某个帐户的公共访问后,以后无法为该帐户中的容器配置公共访问。After public access is disallowed for an account, containers in that account cannot be subsequently configured for public access. 已配置了公共访问的所有容器将不再接受匿名请求。Any containers that have already been configured for public access will no longer accept anonymous requests. 有关详细信息,请参阅配置对容器和 Blob 的匿名公共读取访问For more information, see Configure anonymous public read access for containers and blobs.

本文介绍了如何使用 DRAG(Detection-Remediation-Audit-Governance,检测-修正-审核-治理)框架持续管理对存储帐户的公共访问。This article describes how to use a DRAG (Detection-Remediation-Audit-Governance) framework to continuously manage public access for your storage accounts.

检测来自客户端应用程序的匿名请求Detect anonymous requests from client applications

如果你禁止对存储帐户的公共读取访问,系统可能会拒绝对当前配置了公共访问的容器和 blob 的请求。When you disallow public read access for a storage account, you risk rejecting requests to containers and blobs that are currently configured for public access. 禁止对存储帐户的公共访问将替代该存储帐户中各个容器的公共访问设置。Disallowing public access for a storage account overrides the public access settings for individual containers in that storage account. 禁止对存储帐户的公共访问后,将来对该帐户的任何匿名请求都会失败。When public access is disallowed for the storage account, any future anonymous requests to that account will fail.

为了理解禁止公共访问可能会对客户端应用程序造成的影响,Azure 建议你为该帐户启用日志记录和指标,并分析一段时间间隔内的匿名请求的模式。To understand how disallowing public access may affect client applications, Azure recommends that you enable logging and metrics for that account and analyze patterns of anonymous requests over an interval of time. 使用指标来确定对存储帐户的匿名请求数,并使用日志来确定匿名访问了哪些容器。Use metrics to determine the number of anonymous requests to the storage account, and use logs to determine which containers are being accessed anonymously.

使用指标资源管理器监视匿名请求Monitor anonymous requests with Metrics Explorer

若要跟踪对存储帐户的匿名请求,请在 Azure 门户中使用 Azure 指标资源管理器。To track anonymous requests to a storage account, use Azure Metrics Explorer in the Azure portal. 若要详细了解 Azure 指标资源管理器,请参阅 Azure 指标资源管理器入门For more information about Metrics Explorer, see Getting started with Azure Metrics Explorer.

按照以下步骤创建跟踪匿名请求的指标:Follow these steps to create a metric that tracks anonymous requests:

  1. 导航到 Azure 门户中的存储帐户。Navigate to your storage account in the Azure portal. 在“监视”部分下,选择“指标” 。Under the Monitoring section, select Metrics.

  2. 选择“添加指标”。Select Add metric. 在“指标”对话框中,指定以下值:In the Metric dialog, specify the following values:

    1. 将“作用域”字段设置为存储帐户的名称。Leave the Scope field set to the name of the storage account.
    2. 将“指标命名空间”设置为“Blob”。Set the Metric Namespace to Blob. 此指标仅报告对 Blob 存储的请求。This metric will report requests against Blob storage only.
    3. 将“指标”字段设置为“事务”。Set the Metric field to Transactions.
    4. 将“聚合”字段设置为“求和”。Set the Aggregation field to Sum.

    新指标会显示给定时间间隔内针对 Blob 存储的事务数之和。The new metric will display the sum of the number of transactions against Blob storage over a given interval of time. 生成的指标如下图所示:The resulting metric appears as shown in the following image:

    屏幕截图显示了如何将指标配置为对 blob 事务数求和

  3. 接下来,选择“添加筛选器”按钮,为匿名请求创建基于指标的筛选器。Next, select the Add filter button to create a filter on the metric for anonymous requests.

  4. 在“筛选器”对话框中,指定以下值:In the Filter dialog, specify the following values:

    1. 将属性值设置为“身份验证”。Set the Property value to Authentication.
    2. 将“运算符”字段设置为等号 (=)。Set the Operator field to the equal sign (=).
    3. 将“值”字段设置为“匿名”。Set the Values field to Anonymous.
  5. 在右上角,选择要查看指标的时间间隔。In the upper-right corner, select the time interval over which you want to view the metric. 还可以通过指定从 1 分钟到 1 个月的时间间隔,来指示请求聚合粒度。You can also indicate how granular the aggregation of requests should be, by specifying intervals anywhere from 1 minute to 1 month.

配置指标后,匿名请求将开始显示在图形上。After you have configured the metric, anonymous requests will begin to appear on the graph. 下图显示了在过去 30 分钟内聚合的匿名请求。The following image shows anonymous requests aggregated over the past thirty minutes.

屏幕截图显示了对 Blob 存储的聚合匿名请求

你还可以配置警报规则,让系统在针对你的存储帐户发出的匿名请求达到一定数量时通知你。You can also configure an alert rule to notify you when a certain number of anonymous requests are made against your storage account. 有关详细信息,请参阅使用 Azure Monitor 创建、查看和管理指标警报For more information, see Create, view, and manage metric alerts using Azure Monitor.

修正匿名公共访问Remediate anonymous public access

评估对存储帐户中的容器和 blob 的匿名请求后,可以采取措施来限制或阻止公共访问。After you have evaluated anonymous requests to containers and blobs in your storage account, you can take action to limit or prevent public access. 如果你的存储帐户中的某些容器可能需要供公共访问,你可以为存储帐户中的每个容器配置公共访问设置。If some containers in your storage account may need to be available for public access, then you can configure the public access setting for each container in your storage account. 此选项提供对公共访问的最精细控制。This option provides the most granular control over public access. 有关详细信息,请参阅为容器设置公共访问级别For more information, see Set the public access level for a container.

为增强安全性,可以禁止对整个存储帐户的公共访问。For enhanced security, you can disallow public access for the whole storage account. 存储帐户的公共访问设置会替代该帐户中容器的单个设置。The public access setting for a storage account overrides the individual settings for containers in that account. 如果你禁止对存储帐户的公共访问,则任何配置为允许公共访问的容器将不再可供以匿名方式访问。When you disallow public access for a storage account, any containers that are configured to permit public access are no longer accessible anonymously. 有关详细信息,请参阅允许或禁止对存储帐户的公共读取访问For more information, see Allow or disallow public read access for a storage account.

如果你的方案要求某些容器可供公共访问,则建议将这些容器及其 blob 移动到保留用于公共访问的存储帐户中。If your scenario requires that certain containers need to be available for public access, it may be advisable to move those containers and their blobs into storage accounts that are reserved for public access. 然后,你可以禁止对任何其他存储帐户的公共访问。You can then disallow public access for any other storage accounts.

验证是否不允许对 blob 进行公共访问Verify that public access to a blob is not permitted

若要验证是否禁止对特定 blob 进行公共访问,你可以尝试通过其 URL 下载 blob。To verify that public access to a specific blob is disallowed, you can attempt to download the blob via its URL. 如果下载成功,则 blob 仍可供公共使用。If the download succeeds, then the blob is still publicly available. 如果 blob 因为对存储帐户的公共访问被禁止而不可公共访问,则你将看到一条错误消息,指示此存储帐户不允许公共访问。If the blob is not publicly accessible because public access has been disallowed for the storage account, then you will see an error message indicating that public access is not permitted on this storage account.

下面的示例演示了如何使用 PowerShell 来尝试通过 URL 下载 blob。The following example shows how to use PowerShell to attempt to download a blob via its URL. 请记得将括号中的占位符值替换为你自己的值:Remember to replace the placeholder values in brackets with your own values:

$url = "<absolute-url-to-blob>"
$downloadTo = "<file-path-for-download>"
Invoke-WebRequest -Uri $url -OutFile $downloadTo -ErrorAction Stop

验证是否不允许修改容器的公共访问设置Verify that modifying the container's public access setting is not permitted

若要验证在禁止对存储帐户的公共访问后是否无法修改容器的公共访问设置,可以尝试修改该设置。To verify that a container's public access setting cannot be modified after public access is disallowed for the storage account, you can attempt to modify the setting. 如果禁止对存储帐户的公共访问,则更改容器的公共访问设置将失败。Changing the container's public access setting will fail if public access is disallowed for the storage account.

下面的示例演示了如何使用 PowerShell 来尝试更改容器的公共访问设置。The following example shows how to use PowerShell to attempt to change a container's public access setting. 请记得将括号中的占位符值替换为你自己的值:Remember to replace the placeholder values in brackets with your own values:

$rgName = "<resource-group>"
$accountName = "<storage-account>"
$containerName = "<container-name>"

$storageAccount = Get-AzStorageAccount -ResourceGroupName $rgName -Name $accountName
$ctx = $storageAccount.Context

Set-AzStorageContainerAcl -Context $ctx -Container $containerName -Permission Blob

验证是否不允许创建启用了公共访问的容器Verify that creating a container with public access enabled is not permitted

如果禁止对存储帐户的公共访问,则你将无法创建启用了公共访问的新容器。If public access is disallowed for the storage account, then you will not be able to create a new container with public access enabled. 若要进行验证,你可以尝试创建启用了公共访问的容器。To verify, you can attempt to create a container with public access enabled.

下面的示例演示了如何使用 PowerShell 来尝试创建启用了公共访问的容器。The following example shows how to use PowerShell to attempt to create a container with public access enabled. 请记得将括号中的占位符值替换为你自己的值:Remember to replace the placeholder values in brackets with your own values:

$rgName = "<resource-group>"
$accountName = "<storage-account>"
$containerName = "<container-name>"

$storageAccount = Get-AzStorageAccount -ResourceGroupName $rgName -Name $accountName
$ctx = $storageAccount.Context

New-AzStorageContainer -Name $containerName -Permission Blob -Context $ctx

检查多个帐户的公共访问设置Check the public access setting for multiple accounts

若要检查具有最佳性能的一组存储帐户的公共访问设置,可以使用 Azure 门户中的 Azure Resource Graph 资源管理器。To check the public access setting across a set of storage accounts with optimal performance, you can use the Azure Resource Graph Explorer in the Azure portal. 若要详细了解如何使用 Resource Graph 资源管理器,请参阅快速入门:使用 Azure Resource Graph 资源管理器运行你的第一个 Resource Graph 查询To learn more about using the Resource Graph Explorer, see Quickstart: Run your first Resource Graph query using Azure Resource Graph Explorer.

默认情况下,不会为存储帐户设置 AllowBlobPublicAccess 属性,在你显式设置此属性之前,它不会返回值。The AllowBlobPublicAccess property is not set for a storage account by default and does not return a value until you explicitly set it. 当此属性值为 null 或为 true 时,存储帐户允许公共访问。The storage account permits public access when the property value is either null or true.

在 Resource Graph 资源管理器中运行以下查询会返回存储帐户的列表,并显示每个帐户的公共访问设置:Running the following query in the Resource Graph Explorer returns a list of storage accounts and displays public access setting for each account:

resources
| where type =~ 'Microsoft.Storage/storageAccounts'
| extend allowBlobPublicAccess = parse_json(properties).allowBlobPublicAccess
| project subscriptionId, resourceGroup, name, allowBlobPublicAccess

下图显示了整个订阅中的查询结果。The following image shows the results of a query across a subscription. 请注意,对于已显式设置了 AllowBlobPublicAccess 属性的存储帐户,它在结果中显示为 true 或 false。Note that for storage accounts where the AllowBlobPublicAccess property has been explicitly set, it appears in the results as true or false. 如果尚未为存储帐户设置 AllowBlobPublicAccess 属性,则它在查询结果中显示为空白(或 null)。If the AllowBlobPublicAccess property has not been set for a storage account, it appears as blank (or null) in the query results.

屏幕截图显示了在各个存储帐户中针对公共访问设置的查询结果

使用 Azure Policy 审核合规性Use Azure Policy to audit for compliance

如果你有大量存储帐户,则可能需要执行审核,以确保将这些帐户配置为阻止公共访问。If you have a large number of storage accounts, you may want to perform an audit to make sure that those accounts are configured to prevent public access. 若要审核一组存储帐户的合规性,请使用 Azure Policy。To audit a set of storage accounts for their compliance, use Azure Policy. Azure Policy 是一项服务,可用于创建、分配和管理将规则应用于 Azure 资源的策略。Azure Policy is a service that you can use to create, assign, and manage policies that apply rules to Azure resources. Azure Policy 可帮助你确保这些资源始终符合公司标准和服务级别协议。Azure Policy helps you to keep those resources compliant with your corporate standards and service level agreements. 有关详细信息,请参阅 Azure Policy 概述For more information, see Overview of Azure Policy.

创建具有 Audit 效果的策略Create a policy with an Audit effect

Azure Policy 支持的效果决定了针对资源评估某个策略规则时会发生什么情况。Azure Policy supports effects that determine what happens when a policy rule is evaluated against a resource. 当资源不合规时,Audit 效果会创建一个警告,但不会停止请求。The Audit effect creates a warning when a resource is not in compliance, but does not stop the request. 有关效果的详细信息,请参阅了解 Azure Policy 效果For more information about effects, see Understand Azure Policy effects.

若要通过 Azure 门户为存储帐户的公共访问设置创建具有“审核”效果的策略,请执行以下步骤:To create a policy with an Audit effect for the public access setting for a storage account with the Azure portal, follow these steps:

  1. 在 Azure 门户中,导航到 Azure Policy 服务。In the Azure portal, navigate to the Azure Policy service.

  2. 在“创作”部分下,选择“定义”。Under the Authoring section, select Definitions.

  3. 选择“添加策略定义”以创建新的策略定义。Select Add policy definition to create a new policy definition.

  4. 对于“定义位置”字段,选择“更多”按钮以指定审核策略资源所在的位置。For the Definition location field, select the More button to specify where the audit policy resource is located.

  5. 指定策略的名称。Specify a name for the policy. 还可以指定说明和类别。You can optionally specify a description and category.

  6. 在“策略规则”下,将以下策略定义添加到“policyRule”部分。Under Policy rule, add the following policy definition to the policyRule section.

    {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Storage/storageAccounts"
          },
          {
            "not": {
              "field":"Microsoft.Storage/storageAccounts/allowBlobPublicAccess",
              "equals": "false"
            }
          }
        ]
      },
      "then": {
        "effect": "audit"
      }
    }
    
  7. 保存策略。Save the policy.

分配策略Assign the policy

接下来,将策略分配给资源。Next, assign the policy to a resource. 策略的作用域对应于该资源及其下的所有资源。The scope of the policy corresponds to that resource and any resources beneath it. 有关策略分配的详细信息,请参阅 Azure Policy 分配结构For more information on policy assignment, see Azure Policy assignment structure.

若要在 Azure 门户中分配策略,请执行下列步骤:To assign the policy with the Azure portal, follow these steps:

  1. 在 Azure 门户中,导航到 Azure Policy 服务。In the Azure portal, navigate to the Azure Policy service.
  2. 在“创作”部分下,选择“分配”。Under the Authoring section, select Assignments.
  3. 选择“分配策略”以创建新的策略分配。Select Assign policy to create a new policy assignment.
  4. 对于“作用域”字段,请选择策略分配的作用域。For the Scope field, select the scope of the policy assignment.
  5. 对于“策略定义”字段,请选择“更多”按钮,然后从列表中选择你在上一部分定义的策略。For the Policy definition field, select the More button, then select the policy you defined in the previous section from the list.
  6. 提供策略分配的名称。Provide a name for the policy assignment. 说明是可选的。The description is optional.
  7. 让“策略强制实施”设置为“启用”状态。Leave Policy enforcement set to Enabled. 此设置对审核策略没有影响。This setting has no effect on the audit policy.
  8. 选择“查看 + 创建”以创建分配。Select Review + create to create the assignment.

查看合规性报告View compliance report

分配策略后,你可以查看合规性报告。After you've assigned the policy, you can view the compliance report. 审核策略的合规性报告会指出哪些存储帐户不符合策略。The compliance report for an audit policy provides information on which storage accounts are not in compliance with the policy. 有关详细信息,请参阅获取策略合规性数据For more information, see Get policy compliance data.

创建策略分配后,合规性报告可能需要几分钟时间才会变得可用。It may take several minutes for the compliance report to become available after the policy assignment is created.

若要在 Azure 门户中查看合规性报告,请执行以下步骤:To view the compliance report in the Azure portal, follow these steps:

  1. 在 Azure 门户中,导航到 Azure Policy 服务。In the Azure portal, navigate to the Azure Policy service.

  2. 选择“合规性”。Select Compliance.

  3. 筛选你在上一步创建的策略分配名称的结果。Filter the results for the name of the policy assignment that you created in the previous step. 该报告显示有多少资源不符合策略。The report shows how many resources are not in compliance with the policy.

  4. 你可以在报告中向下钻取以获取更多详细信息,包括不合规的存储帐户的列表。You can drill down into the report for additional details, including a list of storage accounts that are not in compliance.

    屏幕截图显示了针对 blob 公共访问的审核策略的合规性报告

使用 Azure Policy 强制实施授权访问Use Azure Policy to enforce authorized access

Azure Policy 可以确保 Azure 资源符合要求和标准,从而为云治理提供支持。Azure Policy supports cloud governance by ensuring that Azure resources adhere to requirements and standards. 若要确保组织中的存储帐户仅允许经授权的请求,你可以创建一个策略,用以阻止创建其公共访问设置允许匿名请求的新存储帐户。To ensure that storage accounts in your organization permit only authorized requests, you can create a policy that prevents the creation of a new storage account with a public access setting that allows anonymous requests. 如果该帐户的公共访问设置不符合策略,则此策略还会阻止对现有帐户进行的所有配置更改。This policy will also prevent all configuration changes to an existing account if the public access setting for that account is not compliant with the policy.

强制实施策略会使用“拒绝”效果来阻止将创建或修改一个允许公共访问的存储帐户的请求。The enforcement policy uses the Deny effect to prevent a request that would create or modify a storage account to allow public access. 有关效果的详细信息,请参阅了解 Azure Policy 效果For more information about effects, see Understand Azure Policy effects.

若要为允许匿名请求的公共访问设置创建具有“拒绝”效果的策略,请执行使用 Azure Policy 审核合规性中所述的步骤,但在策略定义的“policyRule”节中提供以下 JSON:To create a policy with a Deny effect for a public access setting that allows anonymous requests, follow the same steps described in Use Azure Policy to audit for compliance, but provide the following JSON in the policyRule section of the policy definition:

{
  "if": {
    "allOf": [
      {
        "field": "type",
        "equals": "Microsoft.Storage/storageAccounts"
      },
      {
        "not": {
          "field":"Microsoft.Storage/storageAccounts/allowBlobPublicAccess",
          "equals": "false"
        }
      }
    ]
  },
  "then": {
    "effect": "deny"
  }
}

创建具有“拒绝”效果的策略并将其分配给作用域后,用户无法创建允许公共访问的存储帐户。After you create the policy with the Deny effect and assign it to a scope, a user cannot create a storage account that allows public access. 用户也不能对当前允许公共访问的现有存储帐户进行任何配置更改。Nor can a user make any configuration changes to an existing storage account that currently allows public access. 如果尝试这样做,将会导致错误。Attempting to do so results in an error. 必须将存储帐户的公共访问设置设为 false,然后才能继续创建或配置帐户。The public access setting for the storage account must be set to false to proceed with account creation or configuration.

下图显示了在以下情况下发生的错误:当具有“拒绝”效果的策略要求禁止公共访问时,你尝试创建允许公共访问(针对新帐户的默认设置)的存储帐户。The following image shows the error that occurs if you try to create a storage account that allows public access (the default for a new account) when a policy with a Deny effect requires that public access is disallowed.

屏幕截图显示了在违反策略的情况下创建存储帐户时出现的错误

允许或禁止公共访问的权限Permissions for allowing or disallowing public access

若要为存储帐户设置 AllowBlobPublicAccess 属性,用户必须有权创建和管理存储帐户。To set the AllowBlobPublicAccess property for the storage account, a user must have permissions to create and manage storage accounts. 提供这些权限的 Azure 基于角色的访问控制 (Azure RBAC) 角色包含 Microsoft.Storage/storageAccounts/write 或 Microsoft.Storage/storageAccounts/* 操作 。Azure role-based access control (Azure RBAC) roles that provide these permissions include the Microsoft.Storage/storageAccounts/write or Microsoft.Storage/storageAccounts/* action. 具有此操作的内置角色包括:Built-in roles with this action include:

这些角色不提供通过 Azure Active Directory (Azure AD) 对存储帐户中数据的访问权限。These roles do not provide access to data in a storage account via Azure Active Directory (Azure AD). 但是,它们包含 Microsoft.Storage/storageAccounts/listkeys/action,可以授予对帐户访问密钥的访问权限。However, they include the Microsoft.Storage/storageAccounts/listkeys/action, which grants access to the account access keys. 借助此权限,用户可以使用帐户访问密钥访问存储帐户中的所有数据。With this permission, a user can use the account access keys to access all data in a storage account.

角色分配的范围必须设定为存储帐户级别或更高级别,以允许用户启用或禁用存储帐户的公共访问。Role assignments must be scoped to the level of the storage account or higher to permit a user to allow or disallow public access for the storage account. 有关角色作用域的详细信息,请参阅了解 Azure RBAC 的作用域For more information about role scope, see Understand scope for Azure RBAC.

请注意,仅向需要能够创建存储帐户或更新其属性的用户分配这些角色。Be careful to restrict assignment of these roles only to those who require the ability to create a storage account or update its properties. 使用最小特权原则确保用户拥有完成任务所需的最少权限。Use the principle of least privilege to ensure that users have the fewest permissions that they need to accomplish their tasks. 有关使用 Azure RBAC 管理访问权限的详细信息,请参阅 Azure RBAC 最佳做法For more information about managing access with Azure RBAC, see Best practices for Azure RBAC.

备注

经典订阅管理员角色“服务管理员”和“共同管理员”具有 Azure 资源管理器所有者角色的等效权限。The classic subscription administrator roles Service Administrator and Co-Administrator include the equivalent of the Azure Resource Manager Owner role. 所有者角色包括所有操作,因此具有这些管理角色之一的用户也可以创建和管理存储帐户。The Owner role includes all actions, so a user with one of these administrative roles can also create and manage storage accounts. 有关详细信息,请参阅经典订阅管理员角色、Azure 角色和 Azure AD 管理员角色For more information, see Classic subscription administrator roles, Azure roles, and Azure AD administrator roles.

后续步骤Next steps