Security pattern for third party uploads to Azure blob container

Scenario:

  • Vendor 1 needs to upload data to an Azure blob storage container owned by Vendor 2
  • Vendor 1 is issued a limited duration SAS token each day to use
  • Azure does no scanning of incoming blobs (therefore content is untrusted when it lands)
    • Microsoft recommends pre-scanning all files before uploading

Questions:

  • What is a repeatable pattern for Vendor 2 to secure this type of content unpload against malware threats?