Azure Security, Authentication & Authorization Flashcards
What is a requirement for Azure AD to work?
User must have profile in AAD and app must be registered in AAD
True Or False? You can configure an Instance of API mananagment to protect the API by using OAuth 2.0 with Azure Active Directory
True
Explain what Authentication means
Authentication is the process of proving you are who you say you are. (AuthN)
Explain what Authorization means
Authorization is the act of granting an authenticated party permission to do something.It specifies what data you’re allowed to access and what you can do with that data. (AuthZ)
Explain what a Shared access Signature (SAS) is and what you can do with it.
Its used to grant access to a resource in your storage account. For Blob Storage for example, its simply a token thats added to the url. Everyone that has this url, can use the defined privileges that where used to create the SAS.
Explain what the difference is between an ad-hoc SAS and a SAS that is associated with a stored access policy
An ad-hoc SAS contains all information like startime, end time and permissions directly in the URI
example: ?sv=2018-11-09&sr=c&sig=rS3eUbL5eCSmmth57EQkTEd6DEIo4luyg%2FtXvqvorXc%3D&st=2020-05-28T18%3A14%3A50Z&se=2020-05-29T18%3A19%3A50Z&sp=wl
When SAS is associated with a stored access policy, it inherits the settings from the policy. Its also possible to revoke those by changing the policy.
example: http://127.0.0.1:10000/devstoreaccount1/sas-container-637262939086872312?sv=2018-11-09&sr=c&si=tutorial-policy-637262939086922296&sig=0pZAShTGtP7qYz%2FaXIf4Zr32hcA4RMr4dYDFPQUcj3w%3D
True or False? When copying files between different Storage Account, you must use a SAS
true
Explain on a high level what Azure RBAC is and what you can do with it
Azure role-based access control (Azure RBAC) helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.
Name the three key elements that are part of the RBAC security concept
Security principal, role definition and scope
Explain what Security principal means
A security principal is an object that represents a user, group, service principal, or managed identity that is requesting access to Azure resources.
What forms of Service Principal does Azure work with, name at list three
User, individual with profile in Azure Active Directory
Group, a set of User
Service Principal, apps can use this to access specific azure resources. Think of like user+pw or certificate
Managed Identity, automatically managed by Azure. Used by cloud applications to manage credentials for authenticating to azure services
Explain what a Role definition (role) is
A Collection of permissions. Like read, write delete
Explain what a Scope is
Scope is the set of resources that the access applies to. When you assign a role, you can further limit the actions allowed by defining a scope. This is helpful if you want to make someone a Website Contributor, but only for one resource group.
What is a role assignment
A role assignment is the process of attaching a role definition to a user, group, service principal, or managed identity at a particular scope for the purpose of granting access. Access is granted by creating a role assignment, and access is revoked by removing a role assignment.
True or False? Azure RBAC is an additive model, so your effective permissions are the sum of your role assignments.
True
What is a deny assignment
a deny assignment attaches a set of deny actions to a user, group, service principal, or managed identity at a particular scope for the purpose of denying access. A role assignment defines a set of actions that are allowed, while a deny assignment defines a set of actions that are not allowed. In other words, deny assignments block users from performing specified actions even if a role assignment grants them access.
What are the 3 planes on which you secure Azure Storage?
- Management
- Data
- Encryption
What makes up a role assignment, or, How do you secure the management plane of an Azure Storage account?
- Security principle (who gets access - user, group, etc.)
- Role definition (what actions they can and can’t do)
- Scope of access (subscription, resource group, resource)
Name 3 ways you can secure the data plane of an Azure Storage account?
- Keys
- Shared Access Signature
- AAD (access w/token)
True or false: the storage key is like a root password and 2 keys are created when you provision a new storage account.
True
Benefits of Shared Access Signature
Allows access without sharing the storage key
Very flexible when it comes to granting access to a storage account
Consists of a URI with specific permissions attached to it