Azure Storage Authorizations Flashcards

1
Q

What are the 3 types of Shared Access Signatures for Azure Storage? Differences between them

A

User delegation SAS
A user delegation SAS is secured with Azure Active Directory (Azure AD) credentials and also by the permissions specified for the SAS. A user delegation SAS applies to Blob storage only.

Service SAS
A service SAS is secured with the storage account key. A service SAS delegates access to a resource in only one of the Azure Storage services: Blob storage, Queue storage, Table storage, or Azure Files.

Account SAS
An account SAS is secured with the storage account key. An account SAS delegates access to resources in one or more of the storage services. All of the operations available via a service or user delegation SAS are also available via an account SAS.
In Account SAS you can also delegate access to the following:

Service-level operations (For example, the Get/Set Service Properties and Get Service Stats operations).

Read, write, and delete operations that aren’t permitted with a service SAS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A shared access signature can take one of the following two forms:

A

Ad hoc SAS.
When you create an ad hoc SAS, the start time, expiry time, and permissions are specified in the SAS URI. Any type of SAS can be an ad hoc SAS.

Service SAS with stored access policy.
A stored access policy is defined on a resource container, which can be a blob container, table, queue, or file share. The stored access policy can be used to manage constraints for one or more service shared access signatures. When you associate a service SAS with a stored access policy, the SAS inherits the constraints—the start time, expiry time, and permissions—defined for the stored access policy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Explain how a shared access signature works

A

A shared access signature is a signed URI that points to one or more storage resources. The URI includes a token that contains a special set of query parameters. The token indicates how the resources may be accessed by the client. One of the query parameters, the signature, is constructed from the SAS parameters and signed with the key that was used to create the SAS. This signature is used by Azure Storage to authorize access to the storage resource.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

SAS signature and authorization
You can sign a SAS token with a XXXXX or with a XXXXX.

A

user delegation key

storage account key (Shared Key)

Signing a SAS token with a user delegation key
You can sign a SAS token by using a user delegation key that was created using Azure Active Directory (Azure AD) credentials. A user delegation SAS is signed with the user delegation key.

To get the key, and then create the SAS, an Azure AD security principal must be assigned an Azure role that includes the Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey action.

Signing a SAS token with an account key
Both a service SAS and an account SAS are signed with the storage account key. To create a SAS that is signed with the account key, an application must have access to the account key.

When a request includes a SAS token, that request is authorized based on how that SAS token is signed. The access key or credentials that you use to create a SAS token are also used by Azure Storage to grant access to a client that possesses the SAS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the Type of Authorization for each of these?

User delegation SAS (Blob storage only):
Service SAS:
Account SAS:

A

User delegation SAS (Blob storage only) Azure AD
Service SAS Shared Key
Account SAS Shared Key

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is SAS token?

A

SAS token
The SAS token is a string that you generate on the client side, for example by using one of the Azure Storage client libraries. The SAS token is not tracked by Azure Storage in any way. You can create an unlimited number of SAS tokens on the client side. After you create a SAS, you can distribute it to client applications that require access to resources in your storage account.

Client applications provide the SAS URI to Azure Storage as part of a request. Then, the service checks the SAS parameters and the signature to verify that it is valid. If the service verifies that the signature is valid, then the request is authorized. Otherwise, the request is declined with error code 403 (Forbidden).

Here’s an example of a service SAS URI, showing the resource URI and the SAS token. Because the SAS token comprises the URI query string, the resource URI must be followed first by a question mark, and then by the SAS token:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

When to use a shared access signature

A

Use a SAS to give secure access to resources in your storage account to any client who does not otherwise have permissions to those resources.

A common scenario where a SAS is useful is a service where users read and write their own data to your storage account. In a scenario where a storage account stores user data, there are two typical design patterns:

1) Clients upload and download data via a front-end proxy service, which performs authentication. This front-end proxy service allows the validation of business rules. But for large amounts of data, or high-volume transactions, creating a service that can scale to match demand may be expensive or difficult.

Scenario diagram: Front-end proxy service

2) A lightweight service authenticates the client as needed and then generates a SAS. Once the client application receives the SAS, it can access storage account resources directly. Access permissions are defined by the SAS and for the interval allowed by the SAS. The SAS mitigates the need for routing all data through the front-end proxy service.

Scenario diagram: SAS provider service

Many real-world services may use a hybrid of these two approaches. For example, some data might be processed and validated via the front-end proxy. Other data is saved and/or read directly using SAS.

Additionally, a SAS is required to authorize access to the source object in a copy operation in certain scenarios:

When you copy a blob to another blob that resides in a different storage account.

You can optionally use a SAS to authorize access to the destination blob as well.

When you copy a file to another file that resides in a different storage account.

You can optionally use a SAS to authorize access to the destination file as well.

When you copy a blob to a file, or a file to a blob.

You must use a SAS even if the source and destination objects reside within the same storage account.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Best practices when using SAS (Mention at least 5)

A

Best practices when using SAS
When you use shared access signatures in your applications, you need to be aware of two potential risks:

If a SAS is leaked, it can be used by anyone who obtains it, which can potentially compromise your storage account.

If a SAS provided to a client application expires and the application is unable to retrieve a new SAS from your service, then the application’s functionality may be hindered.

The following recommendations for using shared access signatures can help mitigate these risks:

Always use HTTPS to create or distribute a SAS. If a SAS is passed over HTTP and intercepted, an attacker performing a man-in-the-middle attack is able to read the SAS. Then, they can use that SAS just as the intended user could have. This can potentially compromise sensitive data or allowing for data corruption by the malicious user.

Use a user delegation SAS when possible. A user delegation SAS provides superior security to a service SAS or an account SAS. A user delegation SAS is secured with Azure AD credentials, so that you do not need to store your account key with your code.

Have a revocation plan in place for a SAS. Make sure you are prepared to respond if a SAS is compromised.

Configure a SAS expiration policy for the storage account. A SAS expiration policy specifies a recommended interval over which the SAS is valid. SAS expiration policies apply to a service SAS or an account SAS. When a user generates service SAS or an account SAS with a validity interval that is larger than the recommended interval, they’ll see a warning. If Azure Storage logging with Azure Monitor is enabled, then an entry is written to the Azure Storage logs. To learn more, see Create an expiration policy for shared access signatures.

Define a stored access policy for a service SAS. Stored access policies give you the option to revoke permissions for a service SAS without having to regenerate the storage account keys. Set the expiration on these very far in the future (or infinite) and make sure it’s regularly updated to move it farther into the future.

Use near-term expiration times on an ad hoc SAS service SAS or account SAS. In this way, even if a SAS is compromised, it’s valid only for a short time. This practice is especially important if you cannot reference a stored access policy. Near-term expiration times also limit the amount of data that can be written to a blob by limiting the time available to upload to it.

Have clients automatically renew the SAS if necessary. Clients should renew the SAS well before the expiration, in order to allow time for retries if the service providing the SAS is unavailable. This might be unnecessary in some cases. For example, you might intend for the SAS to be used for a small number of immediate, short-lived operations. These operations are expected to be completed within the expiration period. As a result, you are not expecting the SAS to be renewed. However, if you have a client that is routinely making requests via SAS, then the possibility of expiration comes into play.

Be careful with SAS start time. If you set the start time for a SAS to the current time, failures might occur intermittently for the first few minutes. This is due to different machines having slightly different current times (known as clock skew). In general, set the start time to be at least 15 minutes in the past. Or, don’t set it at all, which will make it valid immediately in all cases. The same generally applies to expiry time as well–remember that you may observe up to 15 minutes of clock skew in either direction on any request. For clients using a REST version prior to 2012-02-12, the maximum duration for a SAS that does not reference a stored access policy is 1 hour. Any policies that specify a longer term than 1 hour will fail.

Be careful with SAS datetime format. For some utilities (such as AzCopy), date/time values must be formatted as ‘+%Y-%m-%dT%H:%M:%SZ’. This format specifically includes the seconds.

Be specific with the resource to be accessed. A security best practice is to provide a user with the minimum required privileges. If a user only needs read access to a single entity, then grant them read access to that single entity, and not read/write/delete access to all entities. This also helps lessen the damage if a SAS is compromised because the SAS has less power in the hands of an attacker.

Understand that your account will be billed for any usage, including via a SAS. If you provide write access to a blob, a user may choose to upload a 200 GB blob. If you’ve given them read access as well, they may choose to download it 10 times, incurring 2 TB in egress costs for you. Again, provide limited permissions to help mitigate the potential actions of malicious users. Use short-lived SAS to reduce this threat (but be mindful of clock skew on the end time).

Validate data written using a SAS. When a client application writes data to your storage account, keep in mind that there can be problems with that data. If you plan to validate data, perform that validation after the data is written and before it is used by your application. This practice also protects against corrupt or malicious data being written to your account, either by a user who properly acquired the SAS, or by a user exploiting a leaked SAS.

Know when not to use a SAS. Sometimes the risks associated with a particular operation against your storage account outweigh the benefits of using a SAS. For such operations, create a middle-tier service that writes to your storage account after performing business rule validation, authentication, and auditing. Also, sometimes it’s simpler to manage access in other ways. For example, if you want to make all blobs in a container publicly readable, you can make the container Public, rather than providing a SAS to every client for access.

Use Azure Monitor and Azure Storage logs to monitor your application. Authorization failures can occur because of an outage in your SAS provider service. They can also occur from an inadvertent removal of a stored access policy. You can use Azure Monitor and storage analytics logging to observe any spike in these types of authorization failures. For more information, see Azure Storage metrics in Azure Monitor and Azure Storage Analytics logging.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Difference between User Delegation Key vs SAS Token

A

A user-delegation SAS token is more secure that it does not rely on the permissions included in the SAS token only. It also takes into consideration the RBAC permissions of the user who created this SAS token. A SAS token created using shared access key simply considers the permissions included in the SAS token.

For example, let’s say the user who’s creating a user-delegation SAS only has Read permissions on a blob container (i.e. they can only list or download blobs in a blob container). Now let’s say the user creates a SAS token with Write permission. When this SAS token is used to upload a blob, the operation will fail because the user does not have Write permissions on that blob container whereas the upload operation would have succeeded if the SAS token was created using shared access key.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

An SAS Token for Access to a Container, Directory or Blob may be secured by…

A

A SAS token for access to a container, directory, or blob may be secured by using either

Azure AD credentials

or an account key.

A SAS secured with Azure AD credentials is called a user delegation SAS. Microsoft recommends that you use Azure AD credentials when possible as a security best practice, rather than using the account key, which can be more easily compromised. When your application design requires shared access signatures, use Azure AD credentials to create a user delegation SAS for superior security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Difference between SAS Account and SAS Service

A

Azure storage accounts come in two flavors: standard accounts, which provide access to Azure Storage services such as tables, queues, files, blobs, and disks; and blob storage accounts, which are optimized for blob storage. But whichever account type you choose, a master key is used to grant administrative access.

But if you want to grant limited or temporary access, giving away your storage account key isn’t the best idea. To solve this problem, Azure uses Shared Access Signatures (SAS) for safely delegating access to objects in storage. A Shared Access Signature is a Uniform Resource Identifier (URI) that includes all the information about the resources to which you want to grant access, and relevant permissions in the form of a token.

Ergo:

The service SAS delegates access to a resource in just one of the storage services: the Blob, Queue, Table, or File service.

The account SAS delegates access to resources in one or more of the storage services. All of the operations available via a service SAS are also available via an account SAS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly