Azure Storage account modified to allow public blob access
Description
AlphaSOC detected a modification to an Azure Storage account that enables public
blob access. This is identified through the
Microsoft.Storage/storageAccounts/write action where the
allowBlobPublicAccess property is set to true. Azure Storage accounts
provide blob storage for unstructured data, and organizations typically restrict
public access to protect sensitive information stored in containers and blobs.
The allowBlobPublicAccess setting controls whether containers within the
storage account can be configured for anonymous public read access. When
enabled, individual containers can be set to allow public access at either the
blob level (allowing public read access to specific blobs) or container level
(allowing public listing and read access to all blobs in the container).
However, threat actors who have gained access to an Azure environment may enable this setting to facilitate data exfiltration by making sensitive data accessible to anyone on the Internet without authentication. By enabling public blob access, attackers can retrieve stolen data from external locations, share compromised information with other parties, or prepare for ransomware attacks by ensuring backup data can be accessed publicly before encryption.
Impact
Enabling public blob access on Azure Storage accounts exposes stored data to unauthorized access from any location on the Internet. Attackers can leverage this configuration to exfiltrate sensitive information without authentication, allowing them to retrieve confidential documents, customer data, proprietary code, credentials, or other valuable assets from external systems. The public exposure enables data breaches where unauthorized parties can download sensitive information, potentially leading to regulatory violations, intellectual property theft, and reputational damage. Organizations also face increased risk of data tampering if containers are configured with public write access, allowing attackers to inject malicious content, modify existing data, or delete critical backups. The absence of authentication requirements means security teams cannot track who accessed the data or attribute downloads to specific actors, complicating incident response and forensic investigations.
Severity
| Severity | Condition |
|---|---|
Medium | Azure Storage account modified to allow public blob access |
Investigation and Remediation
Review Azure Activity logs to identify the
Microsoft.Storage/storageAccounts/write event and examine the request body to
confirm the allowBlobPublicAccess property was set to true. Identify the
affected storage account and determine which containers and blobs are stored
within it. Verify the principal (user, service principal, or managed identity)
that performed the modification and check the source IP address and user agent
to confirm whether the activity originated from authorized infrastructure or
personnel. Immediately assess whether any containers within the storage account
have been configured for public access by reviewing container-level access
policies and examining Azure Storage logs for anonymous access attempts.
If the modification was unauthorized, disable public blob access at the storage
account level by setting allowBlobPublicAccess to false, which will override
any container-level public access configurations. Review the time period when
public access was enabled to identify any data retrieval activities by examining
Azure Storage analytics logs, diagnostic logs, and network flow logs for
connections from unexpected external IP addresses. Determine what data may have
been exposed and assess the sensitivity of the information to evaluate breach
notification requirements. Disable or rotate credentials for the compromised
principal and review Azure RBAC assignments to remove excessive permissions on
storage account resources. Implement Azure Policy to prevent enabling public
blob access on storage accounts containing sensitive data, and configure alerts
for future modifications to storage account public access settings.