Cyscale
Back to controls

Ensure 'Public Network Access' is 'Disabled' for storage accounts

Disallowing public network access for a storage account overrides the public access settings for individual containers in that storage account for Azure Resource Manager Deployment Model storage accounts. Azure Storage accounts that use the classic deployment model will be retired on August 31, 2024.

Category

Controls

Medium

Applies to

Microsoft Azure

Coverage

1 queries

Asset types

1 covered

Overview

Disallowing public network access for a storage account overrides the public access settings for individual containers in that storage account for Azure Resource Manager Deployment Model storage accounts. Azure Storage accounts that use the classic deployment model will be retired on August 31, 2024.

Rationale

The default network configuration for a storage account permits a user with appropriate permissions to configure public network access to containers and blobs in a storage account. Remember that public access to a container is always turned off by default and must be explicitly configured to permit anonymous requests. It grants read-only access to these resources without sharing the account key or requiring a shared access signature. It is recommended not to provide public network access to storage accounts until and unless it is strongly desired. A shared access signature token or RBAC should provide controlled and timed access to blob containers.

Impact

Access will have to be managed using shared access signatures or via RBAC.

Default Value

By default, Public Network Access is set to Enabled from all networks for the Storage Account.

Remediation guidance

Azure Remediation

Service-wide fix (recommended): require private endpoints for sensitive storage accounts and disable the public endpoint by default unless there is a documented exception.

Azure portal

  1. Open the storage account.
  2. Go to Networking.
  3. Set Public network access to Disabled.
  4. Confirm that required private endpoints already exist before you save the change.

Azure CLI

Disable the public endpoint:

az storage account update   --name <storage-account-name>   --resource-group <resource-group>   --public-network-access Disabled

Validate the setting:

az storage account show   --name <storage-account-name>   --resource-group <resource-group>   --query '{publicNetworkAccess:publicNetworkAccess,defaultAction:networkRuleSet.defaultAction}'

Operational notes

  • Disabling public network access allows traffic only through private endpoints. Make sure dependent workloads have a working private path first.
  • If you only need to restrict the public endpoint to selected networks instead of disabling it entirely, use the companion control that checks the default network access rule.
  • When public network access is disabled through Azure tools, the effective result should also align with a defaultAction of Deny.

References

  • https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security-set-default-access
  • https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security-limitations

Query logic

These are the stored checks tied to this control.

Azure Storage Accounts Allowing Public Network Access

Connectors

Microsoft Azure

Covered asset types

StorageAccount

Expected check: eq []

{
  storageAccounts(where: { NOT: { publicNetworkAccess: "Disabled" } }) {
    ...AssetFragment
  }
}
Cyscale Logo
Cyscale is an agentless cloud-native application protection platform (CNAPP) that automates the contextual analysis of cloud misconfigurations, vulnerabilities, access, and data, to provide an accurate and actionable assessment of risk.

Stay connected

Receive new blog posts and product updates from Cyscale

By clicking Subscribe, I agree to Cyscale’s Privacy Policy

© 2026 Cyscale Limited

© 2026 Cyscale Limited

Terms of useSecurity PolicyPrivacy PolicyStatusSitemap
Terms of useSecurity PolicyPrivacy Policy
StatusSitemap
LinkedIn icon
Twitter icon
Facebook icon
crunch base icon
angel icon