On May 17 2023, Microsoft said it would stop allowing anonymous access and cross-tenant replication as the default in Azure Storage.
Microsoft will implement this new method in August, which will only apply to brand-new Azure Storage customers.
Azure Storage container data may now have public and anonymous access settings set by individuals with the appropriate administrator credentials. This situation poses a potential threat to the safety of businesses.
As per Microsoft:
A container can be made accessible to the public by anybody with access to the associated storage account. When public access is enabled, any authorised user can change the public access option of a container to grant anonymous users access to the contents of that container.
For new Azure Storage accounts, Microsoft will change this “beginning in August 2023.” Microsoft plans to follow standard security practises and decrease the risk of data exfiltration by disabling “anonymous access and cross tenant replication for all new storage accounts by default.”
By design, Microsoft already blocks anonymous users from accessing Azure containers. As of August, new Azure Storage accounts will be subject to a policy change that aligns with this security standard.
Existing Azure Storage accounts will not automatically be updated, however. However, businesses who use the unprotected default configuration are urged to “follow best practices for security and disable anonymous access and cross-tenant replication settings if these capabilities are not required for your scenarios.”
After the rollout:
- All newly created storage accounts will use the updated defaults for both configurations, whether made via the latest version of the storage REST API, PowerShell, CLI, SDKs, portal, Azure Storage Explorer, or Terraform.
- Storage accounts must be configured anonymously if an application needs anonymous access to containers/blobs.
- This option should be set to true for applications that need cross-tenant replication.
- A change to the automation scripts, ARM templates, or other tools may be necessary to enable these features on the new storage account.
- A modification in Azure policy to restrict access to only authorised accounts for storage with a “Deny” effect or to require replication within the same tenancy should have no bearing on newly created accounts.