Azure Storage account allows public network access
Description
AlphaSOC detected a modification to an Azure Storage account that enables public
network access. This is identified through the
Microsoft.Storage/storageAccounts/write action where publicNetworkAccess is
set to Enabled and network ACLs either permit all IP addresses or are absent
entirely. Threat actors may enable public network access to facilitate data
exfiltration.
Impact
This may indicate a misconfiguration or a deliberate action by an attacker to weaken network security controls. Enabling public network access exposes storage data to connections from any IP address, allowing adversaries to exfiltrate sensitive data. The weakened network perimeter eliminates an important defense layer, permitting unauthorized access to blobs, files, tables, and queues from uncontrolled networks.
Severity
| Severity | Condition |
|---|---|
Low | Azure Storage account allows public network access |
Investigation and Remediation
Check Azure Activity logs for the Microsoft.Storage/storageAccounts/write
event and examine it to verify network ACL configurations. Identify the affected
storage account. Verify the principal that performed the modification and
confirm whether the activity was authorized.
If modifications are confirmed unauthorized, immediately restrict public network
access by configuring network ACLs to allow only specific IP ranges or virtual
networks, or by disabling publicNetworkAccess entirely and using private
endpoints. Review Azure Storage diagnostic logs for connections from unexpected
IP addresses during the period when public access was enabled. Assess what data
may have been accessed and determine if any exfiltration occurred.
Implement Azure Policy to enforce network ACL requirements and configure alerts for future modifications to storage account network settings.
Known False Positives
- Authorized administrators configuring storage for public-facing applications requiring broad network access
- Data sharing scenarios where organizations intentionally allow access from diverse network locations