Public Blob Access

Description

Azure Storage accounts and Blob containers can inadvertently allow anonymous read/list access. Common causes include account property allowBlobPublicAccess enabled, container publicAccess set to blob or container, permissive shared access signatures (SAS) with long lifetimes and broad IP ranges, and storage firewalls left open to the internet. Public access frequently exposes PII, credentials, logs, and code artifacts.

Examples

Check Container Public Access

az storage container list --account-name <acct> --query "[].{name:name,publicAccess:properties.publicAccess}"
az storage account show -n <acct> --query "{allowBlobPublicAccess:allowBlobPublicAccess,networkRules:networkRuleSet}"

Test Anonymous Access

curl -I "https://<acct>.blob.core.windows.net/<container>/<blob>"

If status 200 without auth, data is public.

Review SAS Token Exposure

# Inspect where SAS is generated and its scope (if available)
# Example: list account keys and ensure SAS isn’t broadly distributed
az storage account keys list -n <acct> -g <rg>

Remediation

1. Disable public access at account and container levels.
2. Rotate or revoke SAS tokens; use least privilege, short lifetimes, IP restrictions, HTTPS only, and stored access policies.
3. Prefer Azure AD RBAC and private endpoints; restrict the storage firewall to required VNets/IPs; enable Defender for Storage to detect public exposure.