Azure storage containers can be configured to allow public access to the data they contain.
Azure storage containers are used for data storage. Publicly exposed storage containers frequently lead to data leaks or ransomware.
When a storage container allows public access, and it's part of a storage account that does not explicitly block public access, anyone can access the data it contains.
Identify affected resources
A storage container allows public access if its "public access level" setting is not set to "private",
and if it's part of a storage account that has
allowBlobPublicAccess set to
Use the following script to identify potentially public blob containers.
storage_accounts=$(az storage account list 2>/dev/null) # Storage accounts that block public access echo -n "$storage_accounts" | jq '. | select(.allowBlobPublicAccess == false) | .name' -r | while read storage_account; do echo "OK: Storage account $storage_account blocks public access"; done # Storage accounts that don't block public access echo "$storage_accounts" | jq '. | select(.allowBlobPublicAccess == true) | .name' -r | while read storage_account; do echo "Storage account $storage_account does not block public access and may contain public containers - checking..."; # Find any public container within this storage account public_containers=$(az storage container list --account-name $storage_account 2>/dev/null | jq -r '. | select(.properties.publicAccess != null) | .name') if [[ -z "$public_containers" ]]; then echo "=> OK: No public containers found in storage account $storage_account"; continue; else echo -n "$public_containers" | while read container; do echo "=> Warning: Container $container is public" done fi done
Remediate vulnerable resources
Set the storage container "public access level" to "private". Ideally, also set the storage account
false to ensure that no storage container can be made public.
How Datadog can help
Cloud Security Management
Datadog Cloud Security Management detects this vulnerability using the out-of-the-box rule "Blob Containers anonymous access is restricted".
Configure anonymous public read access for containers and blobs
Public cloud breaches of 2022 linked to public Azure Storage containers