By default anonymous access to storage container data is not permitted and all requests to a container and its blobs require authentication. Unless public access is required, do not allow unauthenticated access to storage containers and their blob data.

Example 1:

  "allowBlobPublicAccess": true

Customer-managed keys are not used to encrypt data at rest.

Customer-managed keys enable organizations to use cryptographic keys of their choice to encrypt data. This gives organizations better control over encryption processes.

As such, customer-managed keys are often part of the solution to address requirements that include but are not limited to:
- Audit logs for sensitive data access
- Data residency
- Replacing, disabling, or destroying keys

Customer-managed keys are not used to encrypt data at rest.

Customer-managed keys enable organizations to use cryptographic keys of their choice to encrypt data. This gives organizations better control over encryption processes.

As such, customer-managed keys are often part of the solution to address requirements that include but are not limited to:
- Audit logs for sensitive data access
- Data residency
- Replacing, disabling, or destroying keys

Weak authentication mechanisms expose organizations to unauthorized access.

Authentication mechanisms can fail for various reasons, such as:
- Weak passwords
- Improper validation
- Weak credential management

Weak authentication mechanisms expose organizations to unauthorized access.

Authentication mechanisms can fail for various reasons, such as:
- Weak passwords
- Improper validation
- Weak credential management

Mismanaged encryption keys are the cause of various security breaches. Organizations should not rely on platform-managed keys for critical data resources.

Azure offers several encryption options, each with specific benefits and limitations. For example, Azure storage server-side encryption (SSE) performs encryption by default without using compute resources, however, it does not encrypt the temporary disk or caches. It also does not protect data flowing from a compute instance to storage. Azure Disk Encryption (ADE), encrypts both temporary disks and caches, as well as data flowing to storage, but at the expense of compute resources.

Automatic software upgrades, which ensure timely patching of known software vulnerabilities, are disabled.

Mismanaged encryption keys are the cause of various security breaches. Organizations should not rely on platform-managed keys for critical data resources.

Mismanaged encryption keys are the cause of various security breaches. Organizations should not rely on platform-managed keys for critical data resources.

Mismanaged encryption keys are the cause of various security breaches. Organizations should not rely on platform-managed keys for critical data resources.

Uncontrolled access to critical or sensitive resources can significantly impact an organization in various ways, including disclosure of or tampering with critical data.

Loose access configurations can expose systems and broaden an organization's attack surface. Services open to interaction with the public are typically subjected to near-continuous scanning and probing by malicious entities.

This is especially problematic when a zero-day exploit for an exposed service is discovered and published, such as Heartbleed. Attackers can actively pursue and search for unpatched and exposed systems to exploit.

Uncontrolled access to critical or sensitive resources can significantly impact an organization in various ways, including disclosure of or tampering with critical data.

Cross-Origin Resource Sharing (CORS) is a technology that allows a domain to define a policy for its resources to be accessed by a web page hosted on a different domain. Historically, web browsers have restricted their domain resources from being accessed by scripts loaded from a different domain to abide by the same origin policy.
CORS provides a method for a domain to safelist other domains and allow them to access its resources.

Be careful when defining a CORS policy because an overly permissive policy configured at the server level for a domain or a directory on a domain can expose more content for cross-domain access than intended. CORS can enable a malicious application to communicate with a victim application inappropriately, leading to information disclosure, spoofing, data theft, relay, or other attacks.

Implementing CORS can increase an application's attack surface and should only be used when necessary.

Loose access configurations can expose systems and broaden an organization's attack surface. Services open to interaction with the public are typically subjected to near-continuous scanning and probing by malicious entities.

This is especially problematic when a zero-day exploit for an exposed service is discovered and published, such as Heartbleed. Attackers can actively pursue and search for unpatched and exposed systems to exploit.

Loose access configurations can expose systems and broaden an organization's attack surface. Services open to interaction with the public are typically subjected to near-continuous scanning and probing by malicious entities.

This is especially problematic when a zero-day exploit for an exposed service is discovered and published, such as Heartbleed. Attackers can actively pursue and search for unpatched and exposed systems to exploit.

Uncontrolled access to critical or sensitive resources can significantly impact an organization in various ways, including disclosure of or tampering with critical data.

Cross-Origin Resource Sharing (CORS) is a technology that allows a domain to define a policy for its resources to be accessed by a web page hosted on a different domain. Historically, web browsers have restricted their domain resources from being accessed by scripts loaded from a different domain to abide by the same origin policy.
CORS provides a method for a domain to safelist other domains and allow them to access its resources.

Be careful when defining a CORS policy because an overly permissive policy configured at the server level for a domain or a directory on a domain can expose more content for cross-domain access than intended. CORS can enable a malicious application to communicate with a victim application inappropriately, leading to information disclosure, spoofing, data theft, relay, or other attacks.

Implementing CORS can increase an application's attack surface and should only be used when necessary.

Uncontrolled access to critical or sensitive resources can significantly impact an organization in various ways, including disclosure of or tampering with critical data.