Azure Defender: Unusual unauthenticated access to your storage account
Investigating Azure Defender Unusual unauthenticated access to your storage account. What is the $web container?
Had a brief head scratching moment today with an Azure Defender alert.
A production storage account with a $web container that's apparently been accessed anonymously without SAS token or other authentication. Initially not an ideal situation with a prod resource....
Checking public access level
First port of call is to check the public access level for the container. In this case, I was presented with access level "Private" for this container.
This will confuse analysts as it did me....
What is the $web container?
In a storage account you can store a static website, which can be enabled via "Static website" under "Data Management". As soon as you enable this the "$web" container is created which is used to host your web files. See below.
Understanding $web container access level
"You can modify the public access level of the $web container, but this has no impact on the primary static website endpoint because these files are served through anonymous access requests. That means public (read-only) access to all files."
Disabling public access on a storage account does not affect static websites that are hosted in that storage account.
The key to the question is here:
Essentially, if you "Disable public access to blobs" in a storage account it will not apply to a $web container, as it is assumed that web request (anonymous) activity will occur seeing as you/they are hosting a static website.
I hope that clears things up
Have a good day!
More about Azure Defender here:
Update 09/11/2021
Had an email from Microsoft - they've had issues their side for a week due to a patch for storage containers which has seen been reversed. This also may have caused these alerts to flag.