azure vulnerabilities storage Public Azure Storage container

Public Azure Storage container

PLATFORM

SERVICE

storage

DATA BREACHES

known

LAST UPDATED

EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.

high

medium

About

Azure storage containers can be configured to allow public access to the data they contain.

Understanding Impact

Business Impact

Azure storage containers are used for data storage. Publicly exposed storage containers frequently lead to data leaks or ransomware.

Technical Impact

When a storage container allows public access, and it's part of a storage account that does not explicitly block public access, anyone can access the data it contains.

Identify affected resources

A storage container allows public access if its "public access level" setting is not set to "private",
and if it's part of a storage account that has allowBlobPublicAccess set to true.

Use the following script to identify potentially public blob containers.

storage_accounts=$(az storage account list 2>/dev/null)

# Storage accounts that block public access
echo -n "$storage_accounts" | jq '.[] | select(.allowBlobPublicAccess == false) | .name' -r | 
  while read storage_account; do
    echo "OK: Storage account $storage_account blocks public access";
  done

# Storage accounts that don't block public access
echo "$storage_accounts" | jq '.[] | select(.allowBlobPublicAccess == true) | .name' -r | 
  while read storage_account; do
    echo "Storage account $storage_account does not block public access and may contain public containers - checking...";

    # Find any public container within this storage account
    public_containers=$(az storage container list --account-name $storage_account 2>/dev/null | jq -r '.[] | select(.properties.publicAccess != null) | .name')
    if [[ -z "$public_containers" ]]; then
      echo "=> OK: No public containers found in storage account $storage_account";
      continue;
    else
      echo -n "$public_containers" | while read container; do
        echo "=> Warning: Container $container is public"
      done
    fi
done

Remediate vulnerable resources

Set the storage container "public access level" to "private". Ideally, also set the storage account allowBlobPublicAccess to false to ensure that no storage container can be made public.

How Datadog can help

Cloud Security Management

Datadog Cloud Security Management detects this vulnerability using the out-of-the-box rule "Blob Containers anonymous access should be restricted".

References

Configure anonymous public read access for containers and blobs

azure documentation

Public cloud breaches of 2022 linked to public Azure Storage containers

securitylabs.datadoghq.com

Did you find this article helpful?

Related Vulnerabilities and Threats

vulnerabilities Dec'23

Public S3 bucket through bucket policy

vulnerabilities Dec'23

Public S3 bucket through bucket ACL

work with us

We're always looking for talented people to collaborate with

featured positions

We have 10 positions

view all