Search for:
Cart 0
  • About Me
  • Hangout Videos
  • Implementation
  • Architecture
  • Automation
  • DevOps
  • Events
Azurehangout
  • About Me
  • Hangout Videos
  • Implementation
  • Architecture
  • Automation
  • DevOps
  • Events

Blog

Azurehangout > Azure Security > What?!! Public Blob not allowed on this storage account?!

What?!! Public Blob not allowed on this storage account?!

access_timeJune 29, 2020
perm_identity Posted by David Okeyode
folder_open Azure Security

I was teaching an Azure developer course last week when one of the delegates had issues building some C# code that I tested a few days before. The error message “Public Blob not allowed on this storage account“.

My first stop was to review Azure policy and see if there is an offending policy assigned. Nothing! Okay. What about resource locks? Nothing! What about the permissions of the authenticated user? All good! What?! I didn’t know of another way to prevent public blobs in a storage account outside of this. Are we using the client library incorrectly I thought? But I quickly remembered that same code ran successfully few days before.

I started to poke around then I found this gem here (under Storage Account –> Configuration):

Microsoft must have released this silently in recent times as I could not find any documentation on it. But here is what I found about it so far

1. Configuring this option disables the ability to create anonymous containers and blobs in the storage account. The option will be greyed out if you use the portal and automated tools will fail with a variant of the “Public Blob not allowed on this storage account” error.

2. What if I enable this option on a storage account that already has anonymous containers and blobs? The setting will just disable this access. You’ll get an error mesage similar to this:

3. Is there a way for me to audit this or configure this on a subscription level? Yes THERE SHOULD BE (the key word being SHOULD) but my test showed that the APIs seems not to be updated yet. In any case, once the APIs are updated, I already wrote a policy template that could be used to detect this. It can be found in my GitHub account here (I’ll update this page once Microsoft actually updates the API): https://github.com/davidokeyode/charis-cloud-azure-policy/tree/master/storage/storage-account-public-blob

Overall, I think this is great progress for Azure Storage security and I’ll definitely be including it in my Azure security assessment projects going forward! This will also resolve this long running feature request – https://feedback.azure.com/forums/217298-storage/suggestions/34242376-azure-policy-for-preventing-public-blob-containers

DO.

SHARE THIS:
Newer Microsoft Ignite 2019 Announcements - Day One
Older Azure Blue Team Series: Securing Azure Service Bus

Leave a Reply Cancel reply

Recent Posts
  • Azure Logging/Auditing Series (1) – Activity Logs
  • Blind spot fixed! Azure AD new sign-in logs improvement
  • Infrastructure as Code Security for Azure (Part 2) – ARM Template Test Toolkit (ARM-TTK)
  • Infrastructure as Code Security for Azure (Part 1) – Secure DevOps Kit for Azure (AzSK) ARM Template Checker
  • Azure Blue Team Series: Securing Azure Service Bus
Tweets by asegunlolu
Categories
  • Architecture
  • Automation
  • Azure Security
  • DevOps
  • Implementation
  • Uncategorized
Tags
20535 70535 administrator architecture arm az-100 az-103 az-300 azure azure announcements azure billing azure hangout azure security azure stack azure updates certification cloud security cost demo devops exam gns3 hybrid cloud iac ignite implementation lab microsoft azure networking network security reviews security sophos storage
Recent Comments
  • Tim on GNS3 on Azure 03: Configure GNS3 Internet Connectivity
Quick Links
  • About Me
  • Hangout Videos
  • Implementation
  • Architecture
  • Automation
  • DevOps
  • Events
Newsletter

Don’t miss anything, sign up now and keep informed about our company.

© 2021 Azurehangout. All rights reserved
keyboard_arrow_up