detecting-azure-storage-account-misconfigurations
$
npx mdskill add mukul975/Anthropic-Cybersecurity-Skills/detecting-azure-storage-account-misconfigurationsAudit Azure storage accounts for public access and encryption gaps.
- Detects exposed blob containers and weak SAS tokens.
- Uses azure-mgmt-storage SDK to inspect security properties.
- Calculates risk scores based on missing encryption and TLS settings.
- Outputs structured audit reports with critical misconfiguration details.
SKILL.md
.github/skills/detecting-azure-storage-account-misconfigurationsView on GitHub ↗
--- name: detecting-azure-storage-account-misconfigurations description: Audit Azure Blob and ADLS storage accounts for public access exposure, weak or long-lived SAS tokens, missing encryption at rest, disabled HTTPS-only traffic, and outdated TLS versions using the azure-mgmt-storage Python SDK. domain: cybersecurity subdomain: cloud-security tags: [Azure, storage-accounts, blob-storage, ADLS, SAS-tokens, encryption, public-access, cloud-misconfiguration, azure-mgmt-storage] version: "1.0" author: mahipal license: Apache-2.0 --- # Detecting Azure Storage Account Misconfigurations ## Overview Azure Storage accounts are a frequent target for attackers due to misconfigured public access, long-lived SAS tokens, missing encryption, and outdated TLS versions. This skill uses the azure-mgmt-storage Python SDK with StorageManagementClient to enumerate all storage accounts in a subscription, inspect their security properties, list blob containers for public access settings, and generate a risk-scored audit report identifying critical misconfigurations. ## When to Use - When investigating security incidents that require detecting azure storage account misconfigurations - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Python 3.9+ with `azure-mgmt-storage`, `azure-identity` - Azure service principal with Reader role on target subscription - Environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_CLIENT_SECRET, AZURE_SUBSCRIPTION_ID ## Key Detection Areas 1. **Public blob access** — `allow_blob_public_access` enabled on storage account or individual containers set to Blob/Container access level 2. **HTTPS enforcement** — `enable_https_traffic_only` disabled, allowing unencrypted HTTP traffic 3. **Minimum TLS version** — accounts accepting TLS 1.0 or TLS 1.1 instead of minimum TLS 1.2 4. **Encryption at rest** — storage service encryption not enabled or missing customer-managed keys 5. **Network rules** — default action set to Allow instead of Deny, exposing storage to all networks 6. **SAS token risks** — account-level SAS with overly broad permissions or excessive lifetime ## Output JSON report with per-account findings, severity ratings (Critical/High/Medium/Low), and remediation recommendations aligned with CIS Azure Benchmark controls.
More from mukul975/Anthropic-Cybersecurity-Skills
- acquiring-disk-image-with-dd-and-dcflddCreate forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through hash verification.
- analyzing-active-directory-acl-abuseDetect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and WriteOwner abuse paths
- analyzing-android-malware-with-apktoolPerform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection.
- analyzing-api-gateway-access-logs>
- analyzing-apt-group-with-mitre-navigatorAnalyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap analysis and threat-informed defense.
- analyzing-azure-activity-logs-for-threats>
- analyzing-bootkit-and-rootkit-samples>
- analyzing-browser-forensics-with-hindsightAnalyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
- analyzing-campaign-attribution-evidenceCampaign attribution analysis involves systematically evaluating evidence to determine which threat actor or group is responsible for a cyber operation. This skill covers collecting and weighting attr
- analyzing-certificate-transparency-for-phishingMonitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates, and unauthorized certificate issuance targeting your organization.