services / Azure / Storage Blob Service Blobs

Blobs are the individual data objects (files) stored inside containers of an Azure Storage account's blob service. They hold an organization's unstructured production data such as documents, backups, media, and application data.

Data-plane access to blobs directly exposes stored organizational data; ADLS Gen2 (hierarchical namespace) accounts also expose POSIX ownership/ACLs at the blob level.


Microsoft.​Storage/​storageAccounts/​blobServices/​containers/​blobs/​runAsSuperUser/​action

Executing blob commands as ADLS Gen2 superuser bypasses all POSIX ACL/ownership checks, granting unrestricted read, write, and access-control over any blob in the filesystem.

Risks

Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​Storage
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog