How to remediate – Azure Blob Storage Detected

Contents

1. Introduction

Azure Blob Storage is a public cloud storage service offered by Microsoft Azure, allowing users to store and retrieve data objects. Web applications commonly use it for static assets, user uploads, application logs, or even hosting entire websites. A misconfiguration of permissions can expose sensitive data publicly. This vulnerability could lead to information disclosure, impacting confidentiality, integrity, and availability depending on the nature of the stored data.

2. Technical Explanation

The root cause is often overly permissive access controls set on Azure Blob Storage containers or individual objects. Developers may unintentionally allow public read access during configuration. An attacker can exploit this by directly accessing the blob storage URL to retrieve sensitive files, list container contents, or potentially modify data if write permissions are also granted. There is no specific CVE associated with this general misconfiguration.

Root cause: Incorrectly configured Access Control Lists (ACLs) allowing public access.
Exploit mechanism: An attacker identifies a publicly accessible blob storage container URL and retrieves its contents via HTTP/HTTPS. For example, an attacker could discover the URL through reconnaissance or by examining application code.
Scope: Azure Blob Storage service across all versions where public access is enabled.

3. Detection and Assessment

Confirming vulnerability involves checking permissions on storage containers. A quick check can be done via the Azure portal, while a thorough assessment requires scripting against the Azure API.

Quick checks: In the Azure Portal, navigate to the Storage Account -> Container -> Access Policy. Verify that public access is not enabled unless explicitly required and properly documented.
Scanning: Use tools like Azure Security Center or third-party cloud security posture management (CSPM) solutions which may provide built-in checks for publicly accessible blob storage. These are examples only, as results vary.
Logs and evidence: Review Azure Storage logs for access attempts from unexpected sources or patterns indicative of data exfiltration. Look for event IDs related to read operations on public containers.

az storage container list --account-name <your_storage_account_name> --query "[].publicAccess"

4. Solution / Remediation Steps

Ensure Azure Blob Storage permissions are configured according to security best practices.

4.1 Preparation

No services need to be stopped, but inform application owners about potential temporary disruptions during permission updates.

4.2 Implementation

Step 1: Review each storage container’s access policy in the Azure Portal. Disable public read access unless specifically required for a legitimate purpose.
Step 2: If public access is necessary, implement Shared Access Signatures (SAS) tokens with limited permissions and expiration times instead of full public access.
Step 3: For containers requiring private access, ensure appropriate Azure Active Directory role-based access control (RBAC) is configured for authorized users and applications.

4.3 Config or Code Example

Before

Public access level: Blob (anonymous read access for containers and blobs)

After

Public access level: Private (no anonymous access)

4.4 Security Practices Relevant to This Vulnerability

Least privilege: Grant only the minimum necessary permissions required for each user or application accessing blob storage.
Secure defaults: Configure new storage containers with private access by default, requiring explicit configuration for public access.

4.5 Automation (Optional)

# Example PowerShell script to disable public access on all containers in an Azure Storage Account
# Requires Az module installed: Install-Module -Name Az
$resourceGroupName = "your_resource_group"
$storageAccountName = "your_storage_account"
Get-AzStorageContainer -Context (Get-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName).Context | ForEach-Object {
    Set-AzStorageContainerAccessPolicy -Container $_.Name -Action None -Scope Blob -Context (Get-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName).Context
}

5. Verification / Validation

Post-fix check: Run the command `az storage container list –account-name <your_storage_account_name> –query “[].publicAccess”`. The output should show no containers with public access enabled.
Re-test: Re-run the earlier detection method (Azure Portal or Azure CLI) to confirm that public access is disabled on all containers.
Smoke test: Verify that authorized users and applications can still access the blob storage containers as expected.
Monitoring: Monitor Azure Storage logs for any unexpected attempts to access publicly accessible containers.

az storage container list --account-name <your_storage_account_name> --query "[].publicAccess]"

6. Preventive Measures and Monitoring

Baselines: Update security baselines or policies to enforce private access by default for new Azure Blob Storage containers.
Asset and patch process: Regularly review Azure Storage configurations to identify and remediate any misconfigured permissions. A quarterly review is recommended.

7. Risks, Side Effects, and Roll Back

8. References and Resources

Vendor advisory or bulletin: https://docs.microsoft.com/en-us/azure/storage/blobs/security-recommendations
NVD or CVE entry: Not applicable for this general misconfiguration.
Product or platform documentation relevant to the fix: https://docs.microsoft.com/en-us/azure/storage/blobs/access-control-overview

Updated on December 27, 2025

Was this article helpful?

Yes No