locked
Azure Blob Storage RRS feed

  • Question

  • Is  there a way to check for blob or log storage containers that are publicly accessible. TThis is for security purpose just in case by accident a blob that contain critical information is publicly exposed.

    Thanks

    Monday, February 17, 2020 8:34 PM

Answers

  • Yes, you are correct . Alternatively you can write your own powershell script to automate this as well but that would require significant time investments into perfecting the same to your organisational security requirements.  If the information was helpful , please do mark it as answer so that its helpful to other members of the community searching for similar questions. 

    Thank you. 


    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!!


    Wednesday, February 19, 2020 5:15 PM

All replies

  • Hello Obiwanu

    You can use the following powershell cmdlets to check if the PublicAccess for a container is on or off . 

    PS C:\Users> $storageaccountName = "dg859"
    PS C:\Users> $Context = New-AzureStorageContext -StorageAccountName $StorageAccountName -StorageAccountKey "XXXXXXXXXXX"
    
    PS C:\Users> Get-AzureStorageContainer -Name "projectx" -Context $Context | fl
    
    CloudBlobContainer : Microsoft.WindowsAzure.Storage.Blob.CloudBlobContainer
    Permission         : Microsoft.WindowsAzure.Storage.Blob.BlobContainerPermissions
    PublicAccess       : Off
    LastModified       : 22-07-2019 12:15:52 +00:00
    ContinuationToken  :
    Context            : Microsoft.WindowsAzure.Commands.Storage.AzureStorageContext
    Name               : projectx
    
    

    However you would need to build the above in a script to check all the containers by running the script periodically. If you have subscribed to Standard tier of Azure Security Center , Advanced threat protection is automatically setup for all of your storage accounts and it can help you monitor this and even generate automated email alerts once this is setup for any kind of anonymous access.

    As far as I know , it checks access attempts. But I have not tested if it will automatically check which all storage accounts can be publicly accessed or not . The above methods I suggested, can be used to manually do it or be protected using Azure Advanced threat protection. 

    Hope this helps. In case the information provided helped you , please do mark it as answer in case this was helpful so that it could help others searching for similar answers. 

    Thank you. 









    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!!

    Tuesday, February 18, 2020 3:01 PM
  • Thanks for the update.

    I just want to be clear on this. The best option for this issue is either to subscribe to the Standard Tier of Azure Security Center or use a  third party tool. 

    Wednesday, February 19, 2020 3:22 PM
  • Yes, you are correct . Alternatively you can write your own powershell script to automate this as well but that would require significant time investments into perfecting the same to your organisational security requirements.  If the information was helpful , please do mark it as answer so that its helpful to other members of the community searching for similar questions. 

    Thank you. 


    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!!


    Wednesday, February 19, 2020 5:15 PM