Information disclosure from public access on Azure Blob containers in Terraform

High Risk infrastructure-security
azureblob-storagepublic-accessinformation-disclosureanonymous-accessterraformdata-exposure

What it is

Azure Storage accounts configured to allow public access to blob containers enable anonymous access to stored data, exposing sensitive files, backups, and application data to unauthorized users. This vulnerability allows attackers to discover and download private data without authentication.

# VULNERABLE: Storage account allowing public blob access
resource "azurerm_storage_account" "vulnerable" {
  name                     = "vulnerablestorage"
  resource_group_name      = azurerm_resource_group.main.name
  location                 = azurerm_resource_group.main.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
  
  # VULNERABLE: Allows public access to blobs
  allow_nested_items_to_be_public = true
}

# VULNERABLE: Container with public read access
resource "azurerm_storage_container" "vulnerable_public" {
  name                  = "public-files"
  storage_account_name  = azurerm_storage_account.vulnerable.name
  # VULNERABLE: Public access to blobs
  container_access_type = "blob"
}

# VULNERABLE: Container with public listing
resource "azurerm_storage_container" "vulnerable_listing" {
  name                  = "shared-documents"
  storage_account_name  = azurerm_storage_account.vulnerable.name
  # VULNERABLE: Public access to container and blobs
  container_access_type = "container"
}
# SECURE: Storage account with public access disabled
resource "azurerm_storage_account" "secure" {
  name                     = "securestorage"
  resource_group_name      = azurerm_resource_group.main.name
  location                 = azurerm_resource_group.main.location
  account_tier             = "Standard"
  account_replication_type = "GRS"
  
  # SECURE: Disable public access to blobs
  allow_nested_items_to_be_public = false
  min_tls_version                 = "TLS1_2"
  enable_https_traffic_only       = true
  
  # SECURE: Network access restrictions
  network_rules {
    default_action = "Deny"
    bypass         = ["AzureServices"]
    
    virtual_network_subnet_ids = [
      azurerm_subnet.private.id
    ]
    
    ip_rules = ["203.0.113.0/24"]
  }
}

# SECURE: Private container
resource "azurerm_storage_container" "secure_private" {
  name                  = "app-data"
  storage_account_name  = azurerm_storage_account.secure.name
  # SECURE: No public access
  container_access_type = "private"
}

💡 Why This Fix Works

The vulnerable configuration enables allow_nested_items_to_be_public and uses 'blob' or 'container' access types, allowing anonymous public access to stored data. The secure version disables public access at the account level, sets containers to 'private', and implements network access restrictions to ensure only authenticated and authorized access to blob storage.

Why it happens

Azure Storage accounts configured with allow_nested_items_to_be_public = true permit individual containers to be made publicly accessible. This account-level setting creates the foundation for unauthorized data exposure.

Root causes

Public Access Enabled at Account Level

Azure Storage accounts configured with allow_nested_items_to_be_public = true permit individual containers to be made publicly accessible. This account-level setting creates the foundation for unauthorized data exposure.

Public Container Access Types

Storage containers configured with container_access_type set to 'blob' (anonymous blob read) or 'container' (anonymous container and blob listing). These settings expose stored data to unauthenticated internet users.

Absent Network Access Restrictions

Storage accounts lack network_rules configuration with default deny policies. Without network-level restrictions, publicly accessible containers can be accessed from any IP address worldwide.

Accidental Production Deployment

Development or testing configurations that use public access for convenience are accidentally promoted to production environments without security hardening, exposing production data publicly.

Insufficient Security Awareness

Developers and operators lack understanding of Azure blob access levels and their security implications. Teams unknowingly configure public access thinking it only affects specific authorized users.

Fixes

1

Disable Public Access at Account Level

Set allow_nested_items_to_be_public = false on all Azure Storage accounts. This prevents any containers within the account from being configured with public access, enforcing private access at the foundational level.

2

Configure Private Container Access

Set container_access_type = 'private' on all storage containers. Private containers require authentication and authorization for all access, preventing anonymous data retrieval from the internet.

3

Implement Network Access Restrictions

Configure network_rules with default_action = 'Deny' on storage accounts. Use virtual_network_subnet_ids and ip_rules to explicitly allow access only from trusted networks and IP addresses.

4

Use Shared Access Signatures for Temporary Access

When time-limited public access is legitimately required, generate Shared Access Signatures (SAS) tokens with specific permissions and expiration times. SAS tokens provide controlled, auditable access without making containers permanently public.

5

Enable Azure AD Authentication and RBAC

Configure storage accounts to use Azure AD authentication with Role-Based Access Control. Assign specific Azure roles (Storage Blob Data Reader, Storage Blob Data Contributor) to identities, providing granular, manageable access control.

Detect This Vulnerability in Your Code

Sourcery automatically identifies information disclosure from public access on azure blob containers in terraform and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities