I used to think Azure Storage security was mostly about access keys.
It is not.
The bigger issue is usually how many ways a storage account can be reached.
A storage account might have public network access enabled. It might allow anonymous blob access. It might have SAS tokens that were created for a quick task and then forgotten. It might have logs enabled, but nobody checking where those logs actually go.
None of that looks dramatic on its own.
But together, it can create a lot of unnecessary risk.
When I review a storage account, I like to start with simple questions:
- Can the public internet reach this?
- Is anonymous access disabled?
- Are SAS tokens being used carefully?
- Do we need a private endpoint for this workload?
- Is Defender for Storage enabled?
- Are diagnostic logs going somewhere useful?
- Would anyone notice if the access pattern changed?
This is not advanced cloud security.
It is the basic work that often gets missed because delivery is moving quickly.
That is the part I keep coming back to. A lot of cloud risk starts in boring places.