Azure, Cloud Computing

5 Mins Read

A Guide to Prevent Public Access to Azure Blob Storage

Overview

Azure Blob Storage is a cloud-based object storage solution provided by Microsoft Azure. It allows users to store and manage large amounts of unstructured data, such as text or binary data, including images, videos, documents, and other types of files.

With Azure Blob Storage, you can store your data in a highly scalable and durable way and access it from anywhere in the world over HTTP or HTTPS. It also provides data encryption, versioning, and access control, allowing you to manage your data securely.

Azure Blob Storage is commonly used for various use cases, including backup and disaster recovery, content distribution, big data analytics, and media storage and processing. It can be accessed using various tools and APIs, including Azure Portal, Azure CLI, Azure Storage Explorer, etc.

Public Read Access Anonymity

Your data will never be accessible to the public anonymously by default. The two different settings that control public access are as follows:

  • Enable storage account public access – A storage account, by default, enables public access to a container for a user with the necessary permissions. Unless the user takes the extra step to configure the container’s public access option, blob data is not accessible to the public.
  • Set the container’s public access preferences – A container’s public access setting is disabled by default, meaning any requests for access to the container or its data must first get authorization. If anonymous access is permitted for the storage account, a user with the necessary rights can only change a container’s public access option to enable anonymous access.

Pioneers in Cloud Consulting & Migration Services

  • Reduced infrastructural costs
  • Accelerated application deployment
Get Started

Steps to Resolve Anonymous Public Access to the Storage Account

The public access setting for a storage account takes precedence over the individual settings for containers in that account. If a storage account’s public access is disabled, any containers with that setting won’t be reachable anonymously. If you have disabled public access for the account, you do not need to disable it for individual containers.

Suppose your situation dictates that specific containers must be accessible to the public. In that case, you should transfer those containers and their blobs onto separate storage accounts designated for general access. Then, you can prevent the public from accessing any other storage accounts.

Set the account’s AllowBlobPublicAccess attribute to False to restrict public access to a storage account. All storage accounts created using the Azure Resource Manager deployment model have access to this feature. See the Storage account summary for further details. AllowBlobPublicAccess is not set by default for a data store and does not return a value unless explicitly specified. If each property value is null or true, the storing account that allows public access.

  1. To disallow public access to a storage account in the Azure portal, follow these steps:
  2. In the Azure Portal, go to your storage account.
  3. Then in the settings, there is a configuration section.
  4. Change the Blob public accessto Disabled.

step1

You can also disable public access using Installing Azure PowerShell version 4.4.0 or later.

Note:- You must change the values mentioned in the brackets with your values, for example, rgName, AccountName, Location

Check to see if anonymous access has been fixed

To ensure that you’ve resolved anonymous access for a storage account, test that anonymous access to a blob is not permitted, that updating a container’s public access setting is not permitted, and that it’s impossible to establish a container with anonymous access enabled.

Check that a blob’s public access is not allowed

To confirm that public access to a certain blob is prohibited, try downloading it using its URL. If the download is successful, the blob is still accessible to everyone. Suppose the blob is not publicly available because public access has been disabled for the storage account. In that case, you will get an error notice that public access is unauthorized on this storage account.

Detect anonymous requests from client apps

When you disable public read access for a storage account, you risk turning away requests for containers and blobs already set up for public access. Disabling public access for a storage account overrides the public access settings for individual containers in that storage account. When public access is disabled for a storage account, any subsequent anonymous requests to that account will fail. To understand how disabling public access may affect client apps, we recommend that you activate logging and monitoring for that account and evaluate trends of anonymous requests over time. Use metrics to measure the anonymous queries made to the storage account and logs to identify the containers receiving anonymous access.

Use Azure Metrics Explorer in the Azure interface to track anonymous requests to a storage account. See Beginning with Azure Metrics Explorer for additional details.

Steps to Construct a Statistic that Records Anonymous Requests

  1. On the Azure interface, go to your storage account. Choose Metrics from the Monitoring section.

step2

2. The new measure will show the total number of transactions made against Azure Blob storage during a certain period. The following picture displays the generated metric:

step3

3. You can also view the anonymous requests for it. Select the filter button to create a filter on the metric for anonymous requests.

4. In the Filter section, specify the following values:

5. Set the value to Authentication.

6. In the Operator field, to the equal sign (=).

7. Set the Values in the Anonymous field by selecting it from the dropdown or typing it in.

8. Select the time interval in the upper-right corner to view the metric. You can also designate how granular the aggregation of requests should be by specifying intervals from 1 minute to a month.

step4

Conclusion

Azure Blob Storage should not be accessible by the public to protect sensitive data’s privacy and security. This can be done in several ways, including specifying access policies, utilizing shared access signatures, and establishing virtual networks.

Access policies allow you to grant permissions to specific individuals or groups, whereas shared access signatures provide temporary access to resources without revealing the storage account key. Virtual networks can also restrict access to certain IP addresses or networks.

In addition to these safeguards, it’s critical to consistently monitor and audit blob storage access to spot unauthorized access attempts. By implementing these recommended practices, you can ensure that your blob storage is safe and secure from attacks.

Making IT Networks Enterprise-ready – Cloud Management Services

  • Accelerated cloud migration
  • End-to-end view of the cloud environment
Get Started

About CloudThat

CloudThat is also the official AWS (Amazon Web Services) Advanced Consulting Partner and Training partner and Microsoft gold partner, helping people develop knowledge of the cloud and help their businesses aim for higher goals using best in industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.

Drop a query if you have any questions regarding Azure Blob Storage and I will get back to you quickly.

To get started, go through our Consultancy page and Managed Services Package that is CloudThat’s offerings.

FAQs

1. What is public access to an Azure storage account?

ANS: – Public access to an Azure storage account means that the account can be accessed over the internet without authentication. This can be a security risk if the storage account contains sensitive data.

2. After disabling public access, can I still access my Azure storage account?

ANS: – Yes, you can still access your Azure storage account after disabling public access. You can use authorized credentials, such as a storage account key or a shared access signature, to access the account.

3. How often should I review and update my Azure storage account's public access level setting?

ANS: – It is recommended to review and update the public access level setting for your Azure storage account regularly, especially when there are changes to the storage account or its contents. This can help ensure the security of your data and compliance with regulatory requirements.

WRITTEN BY Sumedh Arun Patil

Share

Comments

    Click to Comment

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!