Allowing anonymous access can reduce an organization’s ability to protect itself against attacks on its Azure resources.
Security incidents may include disrupting critical functions, data theft, and additional Azure subscription costs due to resource overload.
Using authentication coupled with fine-grained authorizations helps bring defense-in-depth and bring traceability to investigators of security
incidents.
Depending on the affected Azure resource, multiple authentication choices are possible: Active Directory Authentication, OpenID implementations
(Google, Microsoft, etc.) or native Azure mechanisms.
Ask Yourself Whether
- This Azure resource is essential for the information system infrastructure.
- This Azure resource is essential for mission-critical functions.
- This Azure resource stores or processes sensitive data.
- Compliance policies require access to this resource to be authenticated.
There is a risk if you answered yes to any of these questions.
Recommended Secure Coding Practices
Enable authentication in this Azure resource, and disable anonymous access.
If only Basic Authentication is available, enable it.
Sensitive Code Example
For App Services and equivalent:
resource "azurerm_function_app" "example" {
name = "example"
auth_settings {
enabled = false # Sensitive
}
auth_settings {
enabled = true
unauthenticated_client_action = "AllowAnonymous" # Sensitive
}
}
For API Management:
resource "azurerm_api_management_api" "example" { # Sensitive, the openid_authentication block is missing
name = "example-api"
}
resource "azurerm_api_management" "example" {
sign_in {
enabled = false # Sensitive
}
}
For Data Factory Linked Services:
resource "azurerm_data_factory_linked_service_sftp" "example" {
authentication_type = "Anonymous"
}
For Storage Accounts:
resource "azurerm_storage_account" "example" {
allow_blob_public_access = true # Sensitive
}
resource "azurerm_storage_container" "example" {
container_access_type = "blob" # Sensitive
}
For Redis Caches:
resource "azurerm_redis_cache" "example" {
name = "example-cache"
redis_configuration {
enable_authentication = false # Sensitive
}
}
Compliant Solution
For App Services and equivalent:
resource "azurerm_function_app" "example" {
name = "example"
auth_settings {
enabled = true
unauthenticated_client_action = "RedirectToLoginPage"
}
}
For API Management:
resource "azurerm_api_management_api" "example" {
name = "example-api"
openid_authentication {
openid_provider_name = azurerm_api_management_openid_connect_provider.example.name
}
}
resource "azurerm_api_management" "example" {
sign_in {
enabled = true
}
}
For Data Factory Linked Services:
resource "azurerm_data_factory_linked_service_sftp" "example" {
authentication_type = "Basic"
username = local.creds.username
password = local.creds.password
}
resource "azurerm_data_factory_linked_service_odata" "example" {
basic_authentication {
username = local.creds.username
password = local.creds.password
}
}
For Storage Accounts:
resource "azurerm_storage_account" "example" {
allow_blob_public_access = true
}
resource "azurerm_storage_container" "example" {
container_access_type = "private"
}
For Redis Caches:
resource "azurerm_redis_cache" "example" {
name = "example-cache"
redis_configuration {
enable_authentication = true
}
}
See
