Multiple Azure resource types support authentication configuration, and several allow anonymous access to be explicitly enabled or left unconfigured. Allowing anonymous access can expose sensitive data and operations to unauthorized users.
Allowing anonymous access to Azure resources means that any request, regardless of origin, can interact with the resource without providing credentials. For services such as App Service, API Management, Data Factory linked services, Storage Accounts, and Redis Caches, unauthenticated access can expose sensitive data and operations to unauthorized users. Enabling authentication ensures that only verified identities can access these resources, and provides an audit trail for investigators of security incidents.
If anonymous access is permitted, an attacker can read, modify, or delete data and trigger operations without authentication. Depending on the resource type, this can result in data breaches, unauthorized API calls, service disruption, or unexpected Azure subscription costs due to resource abuse.
The following code allows anonymous access to the Azure resource, leaving it accessible to any caller without authentication.
resource "azurerm_linux_function_app" "example" {
name = "example"
auth_settings {
enabled = false # Noncompliant
}
}
resource "azurerm_linux_function_app" "example2" {
name = "example2"
auth_settings {
enabled = true
unauthenticated_client_action = "AllowAnonymous" # Noncompliant
}
}
resource "azurerm_linux_function_app" "example" {
name = "example"
auth_settings {
enabled = true
unauthenticated_client_action = "RedirectToLoginPage"
}
}
The following code allows anonymous access to the Azure resource, leaving it accessible to any caller without authentication.
resource "azurerm_api_management_api" "example" { # Noncompliant: the openid_authentication block is missing
name = "example-api"
}
resource "azurerm_api_management" "example" {
sign_in {
enabled = false # Noncompliant
}
}
resource "azurerm_api_management_api" "example" {
name = "example-api"
openid_authentication {
openid_provider_name = azurerm_api_management_openid_connect_provider.example.name
}
}
resource "azurerm_api_management" "example" {
sign_in {
enabled = true
}
}
The following code allows anonymous access to the Azure resource, leaving it accessible to any caller without authentication.
resource "azurerm_data_factory_linked_service_sftp" "example" {
authentication_type = "Anonymous"
}
resource "azurerm_data_factory_linked_service_sftp" "example" {
authentication_type = "PublicKey"
username = local.creds.username
private_key_content = local.creds.private_key
}
resource "azurerm_data_factory_linked_service_odata" "example" {
basic_authentication {
username = local.creds.username
password = local.creds.password
}
}
The following code allows anonymous access to the Azure resource, leaving it accessible to any caller without authentication.
resource "azurerm_storage_account" "example" {
allow_blob_public_access = true # Noncompliant
}
resource "azurerm_storage_container" "example" {
container_access_type = "blob" # Noncompliant
}
resource "azurerm_storage_account" "example" {
allow_blob_public_access = false
}
resource "azurerm_storage_container" "example" {
container_access_type = "private"
}
The following code allows anonymous access to the Azure resource, leaving it accessible to any caller without authentication.
resource "azurerm_redis_cache" "example" {
name = "example-cache"
redis_configuration {
enable_authentication = false # Noncompliant
}
}
resource "azurerm_redis_cache" "example" {
name = "example-cache"
redis_configuration {
enable_authentication = true
}
}