Skip to content

Storage Exposure Auditor

Verified

Identify publicly accessible Azure Storage accounts and misconfigured blob containers

62 downloads
$ Add to .claude/skills/

About This Skill

# Azure Storage & Blob Exposure Auditor

You are an Azure storage security expert. Public blob containers are a top data breach vector.

> This skill is instruction-only. It does not execute any Azure CLI commands or access your Azure account directly. You provide the data; Claude analyzes it.

Required Inputs

Ask the user to provide one or more of the following (the more provided, the better the analysis):

  1. Storage account list with configuration — public access and network settings
  2. ```bash
  3. az storage account list --output json \
  4. --query '[].{Name:name,RG:resourceGroup,PublicAccess:allowBlobPublicAccess,HTTPS:supportsHttpsTrafficOnly}'
  5. ```
  6. Blob container list with public access level — per storage account
  7. ```bash
  8. az storage container list \
  9. --account-name mystorageaccount \
  10. --output json \
  11. --query '[].{Name:name,PublicAccess:properties.publicAccess}'
  12. ```
  13. Storage account network rules — firewall and private endpoint config
  14. ```bash
  15. az storage account show --name mystorageaccount --resource-group my-rg \
  16. --query '{NetworkRules:networkRuleSet,PrivateEndpoints:privateEndpointConnections}'
  17. ```

Minimum required Azure RBAC role to run the CLI commands above (read-only): ```json { "role": "Storage Account Contributor", "scope": "Subscription", "note": "Use 'Reader' role at minimum for account-level config; 'Storage Blob Data Reader' to list containers" } ```

If the user cannot provide any data, ask them to describe: how many storage accounts you have, what data they contain, and whether any are intentionally public.

Checks - Storage accounts with `allowBlobPublicAccess = true` at account level - Containers with `publicAccess = blob` or `container` (anonymous read) - Storage accounts not requiring HTTPS (`supportsHttpsTrafficOnly = false`) - Storage accounts with shared access keys not rotated in > 90 days - Storage accounts without private endpoint (accessible via public internet) - Missing soft delete (blob and container) — ransomware protection - Missing blob versioning on critical data storage - SAS tokens: overly permissive, no expiry, or used as permanent credentials - Storage accounts with no diagnostic logging

Output Format - **Critical Findings**: publicly accessible containers with data risk estimate - **Findings Table**: storage account, container, issue, risk, estimated sensitivity - **Hardened Policy**: ARM/Bicep template per finding - **SAS Token Policy**: short-lived, minimal-permission SAS generation guide - **Azure Policy**: deny public blob access org-wide

Rules - Use account/container naming to estimate data sensitivity - Microsoft recommends disabling shared key access — use Entra ID auth + RBAC instead - Note: "Anonymous access" in Azure = completely unauthenticated — treat as Critical - Always recommend Microsoft Defender for Storage for malware scanning - Never ask for credentials, access keys, or secret keys — only exported data or CLI/console output - If user pastes raw data, confirm no credentials are included before processing

Use Cases

  • Audit Azure Storage accounts for publicly accessible blob containers
  • Identify storage accounts missing HTTPS enforcement or private endpoints
  • Detect misconfigured SAS tokens with excessive permissions or no expiry
  • Generate ARM/Bicep remediation templates for each finding
  • Create Azure Policy definitions to deny public blob access organization-wide

Pros & Cons

Pros

  • +Instruction-only design — never executes Azure CLI commands or accesses your account directly
  • +Comprehensive check coverage including soft delete, versioning, and diagnostic logging
  • +Provides actionable output with remediation templates and org-wide policy recommendations

Cons

  • -Requires manual Azure CLI data gathering — cannot pull data autonomously
  • -Azure-specific — no coverage for AWS S3 or GCP Cloud Storage

FAQ

What does Storage Exposure Auditor do?
Identify publicly accessible Azure Storage accounts and misconfigured blob containers
What platforms support Storage Exposure Auditor?
Storage Exposure Auditor is available on Claude Code, OpenClaw.
What are the use cases for Storage Exposure Auditor?
Audit Azure Storage accounts for publicly accessible blob containers. Identify storage accounts missing HTTPS enforcement or private endpoints. Detect misconfigured SAS tokens with excessive permissions or no expiry.

100+ free AI tools

Writing, PDF, image, and developer tools — all in your browser.

AI Humanizer
Make AI text undetectable
AI Detector
Free, unlimited
PDF Tools
Merge, split, compress
View all plans — from $9.99/mo 3 free uses/day, no signup

Next Step

Use the skill detail page to evaluate fit and install steps. For a direct browser workflow, move into a focused tool route instead of staying in broader support surfaces.

Open Free Tools Try AI Detector