diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7510d46345..1af7603426 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,6 +14,7 @@ FEATURES:
 ENHANCEMENTS:
 
 * Adding Log Analytics & Antimalware VM extensions ([#2520](https://github.com/microsoft/AzureTRE/pull/2520))
+* Block anonymous access to 2 storage accounts ([#2524](https://github.com/microsoft/AzureTRE/pull/2524))
 * Gitea shared service support app-service standard SKUs ([#2523](https://github.com/microsoft/AzureTRE/pull/2523))
 * Keyvault diagnostic settings in base workspace ([#2521](https://github.com/microsoft/AzureTRE/pull/2521))
 
diff --git a/templates/core/terraform/airlock/airlock_processor.tf b/templates/core/terraform/airlock/airlock_processor.tf
index 9c8a77da9e..348486f519 100644
--- a/templates/core/terraform/airlock/airlock_processor.tf
+++ b/templates/core/terraform/airlock/airlock_processor.tf
@@ -19,12 +19,13 @@ resource "azurerm_service_plan" "airlock_plan" {
 }
 
 resource "azurerm_storage_account" "sa_airlock_processor_func_app" {
-  name                     = local.airlock_function_sa_name
-  resource_group_name      = var.resource_group_name
-  location                 = var.location
-  account_tier             = "Standard"
-  account_replication_type = "LRS"
-  tags                     = var.tre_core_tags
+  name                            = local.airlock_function_sa_name
+  resource_group_name             = var.resource_group_name
+  location                        = var.location
+  account_tier                    = "Standard"
+  account_replication_type        = "LRS"
+  allow_nested_items_to_be_public = false
+  tags                            = var.tre_core_tags
 
   lifecycle { ignore_changes = [tags] }
 }
diff --git a/templates/core/terraform/storage.tf b/templates/core/terraform/storage.tf
index 3bbb47ea20..22ba892c66 100644
--- a/templates/core/terraform/storage.tf
+++ b/templates/core/terraform/storage.tf
@@ -1,10 +1,11 @@
 resource "azurerm_storage_account" "stg" {
-  name                     = lower(replace("stg-${var.tre_id}", "-", ""))
-  resource_group_name      = azurerm_resource_group.core.name
-  location                 = azurerm_resource_group.core.location
-  account_tier             = "Standard"
-  account_replication_type = "LRS"
-  tags                     = local.tre_core_tags
+  name                            = lower(replace("stg-${var.tre_id}", "-", ""))
+  resource_group_name             = azurerm_resource_group.core.name
+  location                        = azurerm_resource_group.core.location
+  account_tier                    = "Standard"
+  account_replication_type        = "LRS"
+  allow_nested_items_to_be_public = false
+  tags                            = local.tre_core_tags
   lifecycle { ignore_changes = [tags] }
 }
 
diff --git a/templates/core/version.txt b/templates/core/version.txt
index b4ed79e09d..e427a55476 100644
--- a/templates/core/version.txt
+++ b/templates/core/version.txt
@@ -1 +1 @@
-__version__ = "0.4.20"
+__version__ = "0.4.21"