Azure Storage Account Security - Attack & Defend: Part 1

😊 Introduction to the Service

⏭️ Overview

Azure Storage Account is a logical offering that groups various data services from Azure storage. These services include:

1. Blobs: It's for plain unstructured data like images, videos and documents. This can typically be compared with S3 Blob storage service.

2. Files: This provides a Network file system interface for sharing files across multiple platforms and avenues like SMB shares, FTP, etc.

3. Queues: This is a multi-way communication channel where providers and consumers can put messages and consume messages from the queue. This enables async communication between processes too.

4. Tables: This is a NoSQL data store that's comparable to hosted Mongo DB. Although, there's another hosted NoSQL DB offering from Azure, this is a fast alternative without too many open strings.

⏭️ Key Terminology

The following are few key things that are associated with an Azure Storage Account (from security POV):

1. Subscription ID:

Subscription ID is a logical segregation that's intended for separate billing methods. This is more often used for varied business purposes.

2. Resource Group:

Resource group is a logical group of resources intended for a similar purpose or a project. This is more a technical segregation of resources for better manageability.

For more information about Azure account hierarchy, please visit this page.

3. Storage Account Name

It's the name associated with a storage account. The following are the constraints for a storage account:

• It must be between 3 and 24 characters.

• Can only contain lowercase letters and numbers (no special chars like "-", etc.)

• Should be unique across Azure cloud. No two storage accounts can contain the same name.

• Can't contain certain reserved words. Currently observed reserved words: "Microsoft"

4. Namespace:

Each object in Azure storage has a unique URL (including the storage account name).

5. Types of storage accounts

Azure storage account supports variety of types. These allow for optimized use of resources and lesser cost. The following are types of storage accounts:

• Standard general purpose v2

• Premium block blobs

• Premium file shares

• Premium page blobs

• Legacy (doesn't use SSDs)

🚪Access Model

This section will cover ways in which access to data is restricted in Azure storage account.

1. Identity based restriction

Access to Azure storage account is primarily controlled in 3 ways:

• RBAC for Azure AD accounts: By default, no account has access to a storage account's data. The administrator of the resource group/subscription/management group/tenant will have access to modifying the properties but can't directly access it. They can modify access control settings to add their user identity (or service principal) to authorized list. Hence all the users having privileged access to the subscription/resource group and tenant should be considered to have access. There are several roles that are defined in Azure, that can be used to provision fine grained access control. The full list can be viewed here: Built in roles. However, I consider the following roles to be very important. Any user with the following roles should be protected at all costs to ensure that storage accounts are secure.

• Access Keys + Shared Access Signature: This is another way of accessing storage accounts and data within the storage account. When a storage account is created, a 512-bit storage account key is created. This is used to sign and create a signature. This signature can be created to restrict access to one object or blob or an entire storage account. The following are created:

  • Connection String: Can be used with Azure Storage Explorer or Official Microsoft Libraries.

  • SAS Token: This can be appended behind an object/container to access the data.

  • Blob service SAS URL: This is used to access the objects inside Blog.

  • Queue service SAS URL: This is used to access data inside Queue.

  • Table service SAS URL: This is used to access data inside Table data.

2. Network based restriction.

The following are the network-based features that allow for network isolation.

• Firewall and Virtual Networks: You can expose a storage account to an Azure virtual network or just whitelist a single IP address/CIDR.

• Resource specific restrictions: Storage account can be exposed only to specific resources (eg. virtual machines). This is very useful where you need resources inside Azure only need to access the storage account. The restriction can also be applied to resources in the same resource group/subscription/tenant.
• Private endpoint: Using Private Link service, we can expose our storage endpoints without exposing to the Internet. More information here.

3. Different Endpoints

The following are different ways in which data inside the storage account can be accessed.

• Static Website: This is typically for a plain HTML website (e.g. landing page).

• CDN Endpoints: Azure Front door or Azure CDN can be used for exposing the files inside a specific container. <custom-name>.azurefd.net will be assigned when Azure front door will be selected and <custom-name>.azureedge.net will be assigned for Azure CDN.

• Custom domain: You can add a custom domain and expose data using the same.

4. Misconfiguration leading to anonymous exposure:

Finally, the most probably way that data is exposed/adversaries can access data is when the data is misconfigured. More details are outlined in the next section.

💀 Attack Techniques

Below mentioned are few attack paths that I've observed in the wild. Please note that this isn't an exhaustive list and I intend to document many more attack paths in part-2 (that's planned to come out soon).

• Compromise of Ingress points (Identity or Access keys or Misconfiguration): An adversary can simply compromise an identity (user account or service principal) and can compromise sensitive data that the compromised user has access to. How the user is compromised is out of the scope for the blog, but common techniques include Password spraying, info stealers, AITM phishing, etc.

• Misconfigured Storage account: Storage account can be misconfigured to be allowed public access. Needless to say, this is particularly very dangerous. Check your code for any access point without SAS token which is in the format: ?sp=xxx&st=xxx&sig=xxx. Below is an example of a harmless file present in github code without a SAS URL. While a file being exposed without a SAS isn't explicitly dangerous and might be completely intended, it's definitely something to look into.

• Rotate Key to cause DoS: An adversary can simply rotate keys that are used to create SAS. Any downstream applications leveraging these keys to create signatures will break causing a potential denial of service. The rotation of account key would also remediate all the SAS tokens that are generated with that key. The reference for the action is below.

• Leaked SAS token: A SAS token is typically the defacto way of sharing access to objects inside a storage account. These SAS keys can have longer validity (spanning over years) and once created, there's no way to keep a track of it. Azure (as of today) doesn't provide a place for checking all issued SAS's and doesn't provide a way to revoke an individual SAS. The only way to remediate a SAS with a long expiry date is to reset the account key.

💂‍♂️Logging opportunities

Logging for activity related to Azure storage account can be enabled by using Azure diagnostic settings. In addition to that, I recommend enabling Azure activity log.

For the sake of this blog, all the logs are being forwarded to Log analytics workspace. However, the same can be forwarded to a storage account and subsequently forwarded to an SIEM. However, the detection logic would still remain the same except the query.

For a storage account, there are 4 levels of diagnostic settings that can be enabled.

• Storage Account: Activity related to entire storage account, audit of properties, etc. will be covered here.

• Blob: Activity related to blob, access of data, etc., will be logged.

• Queue: Activity related to queue, access of data, etc., will be logged.

• Table: Activity related to table, access of data, etc., will be logged.

• File: Activity related to file share, access of data, etc., will be logged.

🦾Tracing of Activity

The operation is logged under OperationName and the following query can be used to check the operation. In addition, the authentication method will be available in AuthenticationType column.

StorageBlobLogs
| where OperationName has_any("<operation-name>")

The following are the values that are majorly seen values in Operation Name field.

• SetBlobStorageProperties - Change the properties of blob

• GetUserDelegationKey - Get the delegation key that's used for creating signature

• SetContainerProperties - Changes to properties of the container

• SetContainerACL - Changes to ACL using Rest API

• GetBlob - Download of an object

• DeleteBlob - Delete of a blob

• CopyBlob - Copying a blob to another blob

• DeleteContainer - Deletion of a container

The entire list of operation name can be found here.

E.g. The following query can be used to check who accessed the blob. ListBlobs OperationName can be used for the same.

StorageBlobLogs
| where OperationName has_any("ListBlobs")

🔐Detections

The following are few detections that can be used.

• Detect Data exfiltration out of storage account: This is one of the most disastrous things that can probably happen with a storage account. The following query can be used to detect data exfiltration out of a storage account. This leverages Azure metrics logs in storage account. If that setting (while enabling diagnostic settings) isn't enabled, the following query will not work.

//Threshold based 
AzureMetrics
| where TimeGenerated > ago(1d)
| where MetricName == 'Egress'
| summarize TotalEgress = sum(Val2) by bin(TimeGenerated, 1h), ResourceId
| where TotalEgress > 100000

• Detect mass deletion of data from a storage account: The following query can be used to detect mass deletion of data from storage account. This query can be a little noisy if you use automation to make changes to a storage account (depending on your architecture, hence filter false +ves, before deploying).

StorageBlobLogs
| where Category == "StorageDelete" and OperationName == "DeleteBlob"
| where TimeGenerated > ago(1d)
| summarize count() by _ResourceId
| where count_ > 100 //change it according to your environment

• Compromised User accessing storage account settings: By leveraging Entra ID's Risk detection features, we can check if a user is possibly compromised and if any user who is compromised, is accessing storage accounts, we can identify the same using the following query. Please note that there are other variants to the same query which can be achieved through SignIn logs table. It's also important to note that not all risky users are compromised users. However, they have to be taken care of. Additionally, the same data (risky users) can be used with StorageBlobLogs and other tables to identify additional adversarial activity.

let RiskyUsersData = AADUserRiskEvents
|summarize by UserPrincipalName, IpAddress;
let RiskyCallers = RiskyUsersData | distinct UserPrincipalName;
let RiskyIPs = RiskyUsersData | distinct IpAddress;
AzureActivity
| where TimeGenerated >= ago(1d)
| extend clientIpAddress = parse_json(HTTPRequest)['clientIpAddress']
| where Caller has_any(RiskyCallers) and clientIpAddress has_any(RiskyIPs)

• Changes to diagnostic settings: An adversary would want to remove diagnostic settings to impair defenses. The following query can be used to identify the same.

AzureDiagnostics
| where OperationName == "MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE"
| where ResultType == "Success"
| where TimeGenerated >= ago(1d)
| project ResourceId, CallerIpAddress, CallerPrincipalName, TimeGenerated

👍Best Practices

• Don't enable Anonymous Access

• Use MFA for all sensitive accounts (Accounts with access to sensitive data).

• Enabling logging to log analytics or any SIEM of your choice.

• Perform RBAC analysis at regular intervals to check if the intended set of users only have access to storage accounts.

• Rotate keys used to sign SAS at regular intervals (e.g. 180 days).

• Don't create SAS tokens with very long validity.

• Check your code for SAS tokens, access keys and anonymous blob references.

• Leverage resource isolation features using network and resource isolation features.

• Unless there's a need to expose to the Internet (as a static website), don't expose to the Internet.

• If there's a requirement for your files to be exposed as a website, consider using static website or CDN or AFD instead of exposing the files over the Internet. These services perform caching for better performance.

• Inside Configuration of a storage account, you can restrict which storage accounts can copy data from your storage account. Unless required, select the option: "From storage accounts that have a private endpoint to the same virtual network" to avoid data exfiltration.

• If your budget supports, consider Microsoft defender for storage. Their offering is very competitive.

🤘Conclusion

I hope you enjoyed reading the blog. This is an evolving space and will change over time. I'll try to update as much as possible. If you find any discrepancy or have any feedback, please reach out to me. I'd be happy to take any feedback (critical or otherwise).

It's not over yet. There will be more attack techniques, detections in part-2 and while I'm working towards a part-2 of this blog and if you have any feedback, please reach out to me using my contact details here.