Blob public access

OlympusMons 1 Reputation point
2022-07-05T10:16:43.397+00:00

Hi all,

Recently, I was looking through Azure at our Storage accounts, mainly out of interest as I do quite a lot of work on the security side of things, however, Azure is not my strength.

I noticed there is a Storage account which is used for ASR (Azure Site Recovery) which has Blob public access enabled.

When I click Recommendations, under security, I see three medium impact recommendations, they are as follows...

  • Storage account should use a private link connection
  • Storage accounts should restrict network access using virtual network rules
  • Storage account public access should be disallowed

Even though Blob public access is enabled, I am unable to browse see anything as an unauthenticated user. For example, I downloaded the Azure Storage Explorer and tried to connect to the Blob as an untrusted / unauthenticated user but I couldn't. However, I also cannot see any ACLs preventing untrusted /unauthenticated users from accessing the Blob therefore what is preventing this? I would expect this Blob to be wide open to the internet, bt it does not seem to be.

Basically, am I worrying unnecessarily about the Blob public access being enabled?

Many thanks

Azure Storage Explorer
Azure Storage Explorer
An Azure tool that is used to manage cloud storage resources on Windows, macOS, and Linux.
232 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,727 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,454 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. SaiKishor-MSFT 17,201 Reputation points
    2022-07-08T16:35:57.557+00:00

    @OlympusMons Thank you for reaching out to Microsoft Q&A. We apologize for the delay in responding to your issue.

    I understand that you want to know how the Blob public access works. To clarify this, please refer to the below table:

    218910-2022-07-08-09-28-01-configure-anonymous-public-rea.png

    As seen from the above table, even if the Storage account itself is disallowing public access but the access level for Container/Blob is set to Container/Blob level public access, there will not be any public access allowed for the Container/Blob.

    Only when anonymous public access is permitted for a storage account and configured for a specific container, then a request to read a blob in that container that is passed without an Authorization header is accepted by the service, and the blob's data is returned in the response.

    Please let us know if you have any further questions and we will be glad to assist you further. Thank you!

    Remember:

    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

    Want a reminder to come back and check responses? Here is how to subscribe to a notification.

    0 comments