Hello everyone,
Currently, if you create a new Azure Storage Account, public/anonymous access to the Azure Storage Account will be enabled by default.
Hopefully you knew this already, but if this is alarming, let’s read on.
When referring to this as public access, this means unauthorised/anonymous access, this has nothing to do with networking, it’s an authentication restriction.
Public Access is enabled by default at the storage account level. However, public access is disabled by default at the container level. In this situation, no public access to containers or their blobs is possible.
But this does raise the possibility of someone accidentally enabling public access on a container, setting it to Container or Blob, enabling anonymous public access to the data.
Microsoft intend to change this behaviour for new Storage Accounts created from August 2023 onwards. Instead, by disabling public access at a Storage Account level, it isn’t possible to configure public access at a Container level. This makes it a two-step process to enable public access now, preventing this from being an accidentally enabled setting.
Additionally, Microsoft’s Storage Accounts support object replication, whereby you can asynchronously replicate objects between Storage Accounts. One feature is the ability to replicate between different Azure Tenants. Currently, Microsoft enable cross-tenant replication by default on all Storage Accounts. However, from August, this will become a “default disabled” setting, requiring you to opt-in.
It’s nice to see Microsoft continuing to tighten up security, as not all security risks are created from malicious activity, but accidental oversight is a contributor to these scenarios too.
