Full public read access Azure blob storage
Description
Azure Blob Storage is Microsoft's cloud-based object storage service for unstructured data. While containers and blobs are private by default, administrators can configure public access levels to allow anonymous read access. This vulnerability occurs when a container is configured with Full public read access (also known as "Container" level access), which allows unauthenticated users to not only read blob contents but also enumerate and list all files and directories within the container. This configuration exposes more information than necessary and violates the principle of least privilege.
Remediation
Change the Azure Blob Storage container access level to restrict public enumeration. The recommended configurations are:
1. Private (No public access) - Recommended for most use cases. Only authenticated requests with proper credentials can access the container and its blobs.
2. Blob (Public read access for blobs only) - Use only when you need to serve specific files publicly. This allows anonymous users to read blobs if they know the exact blob name, but prevents listing/enumeration of container contents.
To change the access level via Azure Portal:
- Navigate to your Storage Account → Containers
- Select the container → Access policy
- Change "Public access level" to "Private" or "Blob"
- Click Save
To configure via Azure CLI:
az storage container set-permission --name <container-name> --public-access off --account-name <storage-account-name>
To configure via PowerShell:
Set-AzStorageContainerAcl -Name <container-name> -Permission Off -Context $ctx
Additionally, consider implementing Azure Storage firewalls, virtual network rules, or Shared Access Signatures (SAS) with expiration times for controlled access to blob resources.