What's the best practice to expose static files from storage account without anonymous access?

Najam ul Saqib 320 Reputation points
2024-10-30T12:41:20.1633333+00:00

Hi,

So I have a case where I see multiple storage accounts with anonymous access enabled on container level; the thing is it comes up as a security issue that the anonymous read access is enabled but after all the files in there are just static files served to some web application.

Is there any better approach to serve the files on web app without enabling anonymous read access on storage account? Is this even a security risk?

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,218 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,913 questions
Azure
Azure
A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.
1,032 questions
{count} votes

1 answer

Sort by: Most helpful
  1. KarishmaTiwari-MSFT 20,127 Reputation points Microsoft Employee
    2024-10-30T23:40:42.44+00:00

    @Najam ul Saqib You can achieve this by using Shared Access Signatures (SAS) or Azure CDN.

    You can generate SAS tokens that provide limited access to your storage account resources. These tokens can be configured to allow read access to specific files or containers for a defined period. Embed SAS URLs in your web app to securely access the static files. This way, only users with the correct SAS token can access the files. https://learn.microsoft.com/en-us/azure/storage/common/sas-expiration-policy?tabs=azure-portal

    By integrating your storage account with Azure CDN, you can serve your static files through the CDN endpoints. Azure CDN can cache the files and serve them to users without exposing your storage account directly. You can configure the CDN to require authentication or use SAS tokens to control access to the files. https://learn.microsoft.com/en-us/azure/cdn/cdn-create-a-storage-account-with-cdn

    If you have any questions, let me know in the comments.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.