Halloween is over but the the world is still a scary place. In a continuation of a thought from an article I wrote a few weeks back for Auditing AzureSQL Firewall Policies, I thought I would also include a short function for auditing azure storage accounts that are currently configured for “public” access.
Why are public access containers such a big deal? Simply put, anyone that knows the URL to the container and file can download that file. This is perfectly fine for public sites and public data (albeit you are paying for all the egress bandwidth associated with those outbound transfers in Azure… which you may not want to do). Any container that is marked as public access should have a documented business reason for why it is configured that way and any container that holds even the most slightly sensitive data shouldn’t be marked as public. I would go so far as to say, if there isn’t a particularly good reason for a blob container to be public, it’s better to just play it safe and mark it private. At the very least, you should be aware of it and keep tabs on this on a regular basis.
(more…)