Ensure that 'Public access level' is set to Private for blob containers

Description:

Disable anonymous access to blob containers and disallow blob public access on storage account.

Rationale:

Anonymous, public read access to a container and its blobs can be enabled in Azure Blob storage. It grants read-only access to these resources without sharing the account key, and without requiring a shared access signature. It is recommended not to provide anonymous access to blob containers until, and unless, it is strongly desired. A shared access signature token should be used for providing controlled and timed access to blob containers.
If no anonymous access is needed on the storage account, it’s recommended to set allowBlobPublicAccess false.

Access using shared access signatures will have to be managed.

From Azure Console

First, follow Microsoft documentation and created shared access signature tokens for your blob containers. Then,

1. Go to 'Storage Accounts'
2. For each storage account, go to 'Containers' under the 'Data Storage' heading
3. For each container, click 'Access policy'
4. Set 'Public access level' to 'Private (no anonymous access)'
5. For each storage account, go to 'Allow Blob public access' in Configuration
6. Set 'Disabled' if no anonymous access is needed on the storage account

Using Azure Command Line Interface 2.0

1. Identify the container name from the audit command
2. Set the permission for public access to 'private'(off) for the above container name, using the below command

az storage container set-permission --name --public-access off --account-name --account-key

3. Set Disabled if no anonymous access is wanted on the storage account

az storage account update --name --resource-group --allow-blob-public-access false
.