Share via

What's the use of anonymous access at storage account level if the access is handled by container settings?

Najam ul Saqib 320 Reputation points
2024-07-02T09:59:21.18+00:00

Hello wonderful community!

I am trying to understand storage account access issues; defender for cloud has one recommendation that says Storage account public access should be disallowed which lists some accounts in my subscription and opening one of it takes me to the Configuration page with Allow blob anonymous access set to Enabled

I want to know the threat it poses to my storage accounts, all the containers in the account are set to Private and I have tried accessing the blobs directly using URLs but it is not possible because the private setting on the container, than what is impact of account level setting? What can an attacker do with Allow blob anonymous access set to Enabled but all containers set to private?

As of now, the account level setting seems useless to me as the access setting as per the table in https://learn.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent?tabs=portal#about-anonymous-read-access is mainly dependent on container-level access setting, but obviously I am missing something.

Can someone explain?

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,217 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,918 questions
0 comments
Accepted answer
  1. Amrinder Singh 5,155 Reputation points Microsoft Employee
    2024-07-02T10:31:33.7366667+00:00

    Hi Najam ul Saqib- Thanks for reaching out.

    If you already have the container level set as Private in that scenario, the data from that storage account can't be accessed anonymously and will need another Auth to be provided such as Access keys, SAS keys, OAuth (AD Roles) etc in order to access that data.

    When you apply on the account level, it prevents anonymous access to all the containers overriding or irrespective of what is configured on the container level. In that case, even if you set the access level of container to Blob or Container, it still won't allow anonymous access. You won't get option to configure the access level on the individual container level in that case.

    However, if you enable anonymous access on the account level, then it follows what is set on the individual container. That's the key difference between configuring on the account level versus what is configured on the individual container.

    Hope that helps!

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    .

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Amrinder Singh 5,155 Reputation points Microsoft Employee
    2024-07-02T11:40:41.4233333+00:00

    Hi Najam ul Saqib - Thanks for reaching out.

    If you already have container level set as Private, in that case the data from that container can't be accessed anonymously. You will need some other auth mechanism such as Access Keys, SAS, OAuth (AD roles) etc in order to access the data from the container.

    In case you disallow public access on the account level it then supersedes what is configured on the configured at the individual container level all at once. Infact, it won't even then allow you to configure access level on the container level. All the anonymous access on the account level (for all containers) is disabled at once.

    However, when you enable it on the account level, then it further follows what is configured on the individual container level. This is the key difference in here.

    Hope this helps.

    Please feel free to reach out for any further queries/concerns, will be glad to assist.

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members

    0 comments
  2. Ramya Harinarthini_MSFT 5,351 Reputation points Microsoft Employee
    2024-07-02T11:16:55.7033333+00:00

    @Najam ul Saqib Welcome to Microsoft Q&A Forum, Thanks for posting here!!

    The recommendation to disable anonymous access at the storage account level is a security best practice aimed at reducing potential attack surfaces, even if the immediate impact seems minimal due to private container settings. Here are the key points to understand about this recommendation:

    Threats and Risks

    1. Future Misconfigurations:
      • If the storage account allows anonymous access and a container's setting is accidentally or maliciously changed to allow public access, the blobs in that container could become accessible to anyone.
    2. Accidental Data Exposure:
      • Users or applications might unintentionally expose data by setting container-level permissions to public, thinking it is safe due to the default settings of the account.
    3. Least Privilege Principle:
      • By disabling anonymous access at the storage account level, you enforce a stricter security posture adhering to the principle of least privilege, ensuring that no data can be accessed anonymously unless explicitly configured otherwise.

    Account-Level vs. Container-Level Settings

    Account-Level Setting (Allow blob anonymous access):

    • This setting acts as a safeguard that prevents any anonymous access at the storage account level. When this is disabled, it adds a layer of protection ensuring no container, even if configured incorrectly, can serve data to anonymous users.

    Container-Level Setting

    This setting determines if the blobs within that specific container can be accessed anonymously. Private containers will not allow anonymous access to their blobs, but this depends on individual container configurations.

    Potential Impact of Keeping Anonymous Access Enabled

    Even if all current containers are private, enabling anonymous access at the storage account level could lead to unintended data exposure in the following scenarios:

    • Future Misconfiguration: New containers may accidentally be created with public access.
    • Security Missteps: Administrative errors could inadvertently change container permissions, exposing sensitive data.
    • Audit and Compliance: Having the setting enabled might lead to compliance and audit issues as it might not align with security policies and best practices.

    While the immediate impact may seem minimal given your current private container settings, the recommendation to disable anonymous access at the storage account level is about reducing risk and ensuring a stronger security posture. It's a preventive measure to protect against potential misconfigurations or future changes that could lead to data exposure.

    Hope this helps!

    Kindly let us know if the above helps or you need further assistance on this issue

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.