分享方式:


補救 Blob 資料的匿名讀取存取 (傳統部署)

Azure Blob 儲存體支援對容器和 Blob 的選擇性匿名讀取存取。 然而,匿名存取可能存在安全性風險。 建議您停用匿名存取,以獲得最佳安全性。 不允許匿名存取有助於防止非預期匿名存取造成的資料外洩。

依預設會一律禁止對 Blob 資料的匿名存取。 然而,傳統儲存體帳戶的預設設定可讓具有適當權限的使用者,在儲存體帳戶中設定對容器與 Blob 的匿名存取。 若要防止傳統儲存體帳戶的匿名存取,您必須將帳戶中的每個容器設定為封鎖匿名存取。

若您的儲存體帳戶使用傳統部署模型,建議您盡快移轉至 Azure Resource Manager 部署模型。 移轉帳戶之後,您可以在帳戶層級將其設定為禁止匿名存取。 若要了解如何禁止 Azure Resource Manager 帳戶的匿名存取,請參閱補救 Blob 資料的匿名讀取存取 (Azure Resource Manager 部署)

若您目前無法移轉傳統儲存體帳戶,則應立即將所有容器設定為私人,以補救這些帳戶的匿名存取。 本文描述如何補救傳統儲存體帳戶中容器的存取權。

使用傳統部署模型的 Azure 儲存體帳戶將於 2024 年 8 月 31 日淘汰。 如需詳細資訊,請參閱 Azure 傳統儲存體帳戶將在 2024 年 8 月 31 日淘汰

警告

匿名存取會產生安全性風險。 建議您採取下一節所述的動作,以補救所有傳統儲存體帳戶的匿名存取,除非您的案例特別需要匿名存取。

封鎖容器的匿名存取權

若要補救傳統儲存體帳戶的匿名存取,請將帳戶中每個容器的匿名存取層級設定為 [私人]

若要補救 Azure 入口網站中一或多個容器的匿名存取,請遵循下列步驟:

  1. 在 Azure 入口網站中巡覽至您的儲存體帳戶概觀。

  2. 在 [資料存放區] 底下的功能表刀鋒視窗上選取 [Blob 容器]

  3. 選取要設定匿名存取層級的容器。

  4. 使用 [變更存取層級] 按鈕以顯示存取設定。

  5. 從 [匿名存取層級] 下拉式清單中選取 [私人 (沒有匿名存取)],然後按一下 [確定] 按鈕,將變更套用至選取的容器。

    顯示如何在入口網站中設定匿名存取層級的螢幕快照。

檢查一組容器的匿名存取設定

您可以列出容器並檢查匿名存取設定,藉以檢查一或多個儲存體帳戶中的哪些容器已設定為匿名存取。 當儲存體帳戶未包含大量容器,或當您在少量的儲存體帳戶之間檢查設定時,此方法是個可行的選項。 但是,如果您嘗試列舉大量的容器,效能可能會受到影響。

下列範例會使用 PowerShell 取得儲存體帳戶中所有容器的匿名存取設定。 請記得將括弧中的預留位置值取代為您自己的值:

$rgName = "<resource-group>"
$accountName = "<storage-account>"

$storageAccount = Get-AzStorageAccount -ResourceGroupName $rgName -Name $accountName
$ctx = $storageAccount.Context

Get-AzStorageContainer -Context $ctx | Select Name, PublicAccess

大量補救的範例指令碼

下列 PowerShell 指令碼範例會對訂用帳戶中的所有傳統儲存體帳戶執行,並針對這些帳戶中的容器將匿名存取設定設為 [私人]

警告

針對具有大量容器的儲存體帳戶執行此指令碼可能需要非常大量資源,而且需要很長的時間。 若您有具有非常大量容器的儲存體帳戶,建議您設計不同的方法來補救匿名存取。

# This script runs against all classic storage accounts in a single subscription
# and sets containers to private.

## IMPORTANT ##
# Running this script requires a connected account through the previous version 
# of Azure PowerShell. Use the following command to install:
# Install-Module Azure -scope CurrentUser -force
#
# Once installed, you will need to connect with:
# Add-AzureAccount
#
# This command may fail if there are modules installed that conflict with it.
# One known conflicting module is AzureRm.Accounts
# You will need to remove conflicting modules using the following:
# Remove-Module -name <name>
#
# The Azure PowerShell module assumes a current subscription when enumerating
# storage accounts.  You can set the current subscription with:
# Select-AzureSubscription -subscriptionId <subscriptionId>
#
# Get-AzureSubscription lists all subscriptions available to the Azure
# module. Not all subscriptions listed under your name in the portal may 
# appear here. If a subscription does not appear, you may need to use 
# the portal to remediate public access for those accounts.
# After you have selected your subscription, verify that it is current
# by running:
# Get-AzureSubscription -current
# 
# After the current subscription runs, you can run this script, change
# to another subscription after it completes, and then run again as necessary.
## END IMPORTANT##

# Standard operation will enumerate all accounts and check for containers with public 
# access, then allow the user to decide whether or not to disable the setting.  

# Run with BypassConfirmation=$true if you wish to remove permissions from all containers
# without individual confirmation

# Run with BypassArmUpgrade=$true if you wish to upgrade your storage account to use the 
# Azure Resource Manager deployment model. All accounts must be upgraded by 31 August 2024.

param(
    [boolean]$BypassConfirmation=$false,
    [boolean]$BypassArmUpgrade=$false
)

#Do not change this
$convertAccounts = $false

foreach($classicAccount in Get-AzureStorageAccount)
{
    $enumerate = $false

    if(!$BypassArmUpgrade)
    {
        write-host "Classic Storage Account" $classicAccount.storageAccountname "found"
        $confirmation = read-host "Convert to ARM? [y/n]:"
    }
    if(($confirmation -eq 'y') -and (!$BypassArmUpgrade))
    {
        write-host "Conversion selected"
        $convertAccounts = $true
    }
    else
    {
        write-host $classicAccount.StorageAccountName "conversion not selected.  Searching for public containers..."
        $enumerate = $true
    }

    if($enumerate)
    {
        foreach($container in get-azurestoragecontainer -context (get-azurestorageaccount -storageaccountname $classicAccount.StorageAccountName).context)
        {
            if($container.PublicAccess -eq 'Off')
            {
            } 
            else 
            {
                if(!$BypassConfirmation)
                {
                    $selection = read-host $container.Name $container.PublicAccess "access found, Make private?[y/n]:"
                }
                if(($selection -eq 'y') -or ($BypassConfirmation))
                {
                    write-host "Removing permissions from" $container.name "container on storage account" $classicaccount.StorageAccountName
                    try
                    {
                        Set-AzureStorageContainerAcl -context $classicAccount.context -name $container.name -Permission Off
                        write-host "Success!"
                    }
                    catch
                    {
                        $_
                    }
                }
                else
                {
                    write-host "Skipping..."
                }
            }
        }
    }
}
if($convertAccounts)
{
    write-host "Converting accounts to ARM is the preferred method, however there are some caveats."
    write-host "The preferred method would be to use the portal to perform the conversions and then "
    write-host "run the ARM script against them.  For more information on converting a classic account"
    write-host "to an ARM account, please see:"
    write-host "https://learn.microsoft.com/en-us/azure/virtual-machines/migration-classic-resource-manager-overview"
}
write-host "Script complete"

另請參閱