Information disclosure from public blob access in Azure Storage account configuration

High Risk infrastructure-security
azureblob-storagepublic-accessanonymous-accessinformation-disclosuredata-exposureterraform

What it is

Azure Storage accounts with blob public access enabled allow anonymous users to read blob contents without authentication, exposing sensitive data, enabling data scraping, secret leakage, and potential compliance violations. This vulnerability creates a pathway for unauthorized data access and information disclosure.

# VULNERABLE: Storage account with public blob access enabled
resource "azurerm_storage_account" "vulnerable_storage" {
  name                     = "vulnerablestorage123"
  resource_group_name      = azurerm_resource_group.example.name
  location                 = azurerm_resource_group.example.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
  
  # VULNERABLE: Public blob access enabled (default)
  allow_blob_public_access = true
}

# VULNERABLE: Container with public access
resource "azurerm_storage_container" "vulnerable_container" {
  name                  = "vulnerable-data"
  storage_account_name  = azurerm_storage_account.vulnerable_storage.name
  # VULNERABLE: Blob-level public read access
  container_access_type = "blob"
}

# VULNERABLE: Storage account without explicit setting
resource "azurerm_storage_account" "default_public" {
  name                     = "defaultpublic123"
  resource_group_name      = azurerm_resource_group.example.name
  location                 = azurerm_resource_group.example.location
  account_tier             = "Standard"
  account_replication_type = "GRS"
  
  # VULNERABLE: allow_blob_public_access not set (defaults to true)
}
# SECURE: Storage account with public blob access disabled
resource "azurerm_storage_account" "secure_storage" {
  name                     = "securestorage123"
  resource_group_name      = azurerm_resource_group.example.name
  location                 = azurerm_resource_group.example.location
  account_tier             = "Standard"
  account_replication_type = "GRS"
  
  # SECURE: Disable public blob access
  allow_blob_public_access = false
  
  # SECURE: Additional security settings
  enable_https_traffic_only = true
  min_tls_version          = "TLS1_2"
  
  network_rules {
    default_action = "Deny"
    ip_rules       = ["203.0.113.0/24"]
    virtual_network_subnet_ids = [
      azurerm_subnet.secure.id
    ]
  }
}

# SECURE: Container with private access only
resource "azurerm_storage_container" "secure_container" {
  name                  = "secure-data"
  storage_account_name  = azurerm_storage_account.secure_storage.name
  # SECURE: No public access
  container_access_type = "private"
}

# SECURE: Private endpoint for storage account
resource "azurerm_private_endpoint" "storage_endpoint" {
  name                = "storage-private-endpoint"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  subnet_id           = azurerm_subnet.secure.id

  private_service_connection {
    name                           = "storage-connection"
    private_connection_resource_id = azurerm_storage_account.secure_storage.id
    subresource_names              = ["blob"]
    is_manual_connection           = false
  }
}

💡 Why This Fix Works

The vulnerable configurations either explicitly enable allow_blob_public_access or omit it (defaulting to true), and may configure containers with public access types. This allows anonymous internet users to read blob data without authentication. The secure version explicitly sets allow_blob_public_access to false at the storage account level, uses private container access, implements network rules to restrict access, and optionally configures private endpoints for completely private connectivity.

Why it happens

Azure Storage accounts created with allow_blob_public_access enabled by default or without explicitly setting it to false. This default configuration permits individual containers to be made publicly accessible, creating opportunities for unintended data exposure.

Root causes

Default Public Blob Access Setting

Azure Storage accounts created with allow_blob_public_access enabled by default or without explicitly setting it to false. This default configuration permits individual containers to be made publicly accessible, creating opportunities for unintended data exposure.

Public Container Access Configuration

Storage containers explicitly configured with container_access_type set to 'blob' or 'container', enabling anonymous public read access. These settings allow anyone on the internet to read blob data without authentication.

Unhardened Development Configurations

Development or testing storage configurations that use public access for convenience are promoted to production without security review or hardening. Public access settings intended for non-production environments expose production data.

Absent Network Security Controls

Storage accounts lack network_rules configuration with restrictive policies. Without network-level access controls and firewall rules, publicly accessible blobs can be reached from any IP address globally.

Inadequate Public Access Monitoring

Organizations lack continuous monitoring and alerting for public blob access configurations. Changes that enable public access go undetected, and existing public containers remain undiscovered during security audits.

Fixes

1

Disable Public Blob Access at Account Level

Set allow_blob_public_access = false on all Azure Storage accounts. This prevents any containers within the account from being configured with public access, providing account-wide protection against anonymous data exposure.

2

Implement Azure AD and RBAC Authentication

Configure Azure Active Directory authentication with Role-Based Access Control for blob access. Use Azure built-in roles like Storage Blob Data Reader and Storage Blob Data Contributor to provide granular, identity-based access control.

3

Deploy Private Endpoints

Configure Azure Private Endpoints (azurerm_private_endpoint) for storage accounts. Private endpoints provide blob access through private IP addresses within your virtual network, eliminating exposure to the public internet.

4

Use Time-Limited SAS Tokens

When temporary external access is required, generate Shared Access Signatures (SAS) with specific permissions and short expiration times. SAS tokens provide controlled, auditable access without permanently enabling public access.

5

Enable Storage Firewall and VNet Rules

Configure storage account network_rules with default_action = 'Deny'. Use ip_rules and virtual_network_subnet_ids to create allowlists, ensuring only trusted networks can access storage even if public access were enabled.

Detect This Vulnerability in Your Code

Sourcery automatically identifies information disclosure from public blob access in azure storage account configuration and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities