The Azure storage account is not configured to block public network access or prevent nested blob items from becoming publicly accessible. Because public_network_access_enabled is not set to false, the storage account remains reachable from the public internet. Additionally, because allow_nested_items_to_be_public is not set to false, blobs or nested storage items may inherit or retain public visibility if configured that way.

This weakens the confidentiality posture of the storage account and increases the risk that sensitive files, logs, backups, or application data could be exposed to unauthorised users. Attackers commonly scan for publicly reachable cloud storage resources, making this misconfiguration particularly risky in environments that store sensitive or business-critical data.

Remediation

Disable public network access on the storage account by setting public_network_access_enabled = false, unless public access is explicitly required and justified. Also set allow_nested_items_to_be_public = false to prevent blob containers or nested items from being made publicly accessible. Where access is required, use private endpoints, managed identities, least-privilege IAM roles, and explicit access policies instead of public exposure.