Configure Access to storage Flashcards
Storage security Methods
https://learn.microsoft.com/en-us/azure/storage/common/authorize-data-access
- Encryption
All data written to azure storage is automatically encrypted by using storage encryption
2 .Authentication
- Microsoft Entra ID and RBAC are supported for azure storage for both resource management and data operations.
- You can assign RBAC roles scoped to an azure storage account to security principals
-use Microsoft Entra ID to authorize resource management operations such as key management.
- Data transit
Data can be secured in transit by using client side encryption , HTTPS , or SMB 3.0 - Disk encryption
- Shared access signatures
Delegated access to data objects in azure storage can be granted using a shared access signature - Authorization
Things to consider when using authorization:
-Microsoft Entra ID
- Shared key
-Shared access signature
- Anonymous access to containers and blobs
What is Endpoint for storage accounts?
Endpoint is basically a URL that points to that particular storage account. The URL is used when services , users , servers , applications need to interact with the storage account.
- There are 2 types of service endpoints:
- Standard endpoints
- You can create up to 250 Storage accounts per region in a subscription.
- Storage account name is the subdomain and the fixed domain includes the name of the service:
Example : Https: //<Storage-account>.blob.core.windows.net</Storage-account>
- Azure DNS endpoints
- You can create up to 5000 storage accounts per region in a given subscription.
- Azure storage account dynamically selects and azure DNS zone and assigns it to the storage account.
- So includes the storage account name as the subdomain , and a domain that includes the name of the service and the identifier for the dns zone.
- The DNS identifier always starts with a z followed by a range between z00 to z99. Cannot be chosen it is automatic.
Example:
Https: //<storage-account> .z[00-99].blob.storage.azure.net</storage-account>
Configure azure storage firewalls and virtual networks
You need to create a private endpoint which creates a private link .A private link allows your resources to communicate with each other using the azure backbone instead of the traffic going through public internet.
*Firewalls and VNets restrict access to the storage account from specific subnets on VNets or public IP’s
*You can configure the service to allow access to one or more public IP ranges.
*Subnets and VNets must exist in the same Azure region or region pair as the storage account
What is a Shared Access Signature(SAS)
https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview
*A shared access signature is a uniform resource identifier (URI) that grants restricted access rights to azure storage.
*SAS is a secure way to share your storage without having to provide the access keys of the storage account
Things to know about shared access signatures:
*Provides granular control over the type of access you grant to clients.
*An account level SAS can delegate access to multiple azure storage services , such as blobs , files , queues and tables.
- You can specify the time interval in which a SAS is valid such as start time and expiration date.
SAS provides account level and service level control:
1. Account level - SAS delegates access to resources in one or more azure storage account services
- Service Level - SAS delegates access to a resource in only one azure storage service.
Optional SAS config settings:
1. IP addresses - You can specify an ip address or range of ip’s from which azure storage accepts the SAS.
- Protocols - You can specify the protocol over which azure storage accepts SAS. Often configured to restrict access to clients by using HTTPS.
What is SAS tokens(Temporary access)
SAS tokens used when you need to provide access temporarily to your storage account.
*Grants secure and delegated access to resources in azure storage account
- The SAS signature can be time limited meaning that you can set a start date/time and set when it expires. good for guest accounts that need access to your storage.
*Provides access to clients without sharing their storage account keys
*Provides access to azure resources in multiple storage services
*Delegates secured access to resource in only one of the storage services
Create and use shared access signature (SAS) tokens
You can associate more than one SAS token same policy
When you create a SAS token you:
*Specify the allowed service such as blob , file , queue , table
- Permissions such as read , write , delete , list , add , create, update , permanent delete
*Allowed resource types such as service , container , object
- Start and expiry date/time
*Allowed specific IP address
*Preferred routing
- it will then create a sas token which is a composed of the url , uri and signature in the sting.
Example:
https://mystorageaccount.blob.core.windows.net/mycontainer/myblob?sv=2020-08-04&st=2022-01-01T00%3A00%3A00Z&se=2022-01-01T12%3A00%3A00Z&sp=rwdl&spr=https&sig=mysignature
!!Once a SAS token is created it cannot be changed and is valid until the specified time!!
Identify URI and SAS params
When a SAS is created , a uniform resource identifier is created by using params and tokens. The URI consists of your azure storage resource URI and the SAS token.
URI composed of:
1.Azure storage resource
https://…
2. Shared access signature token:
?sv=…
Things to know about URI definitions:
Example URI:
https://myaccount.blob.core.windows.net/?restype=service&comp=properties&sv=2015-04-05&ss=bf&st=2015-04-29T22%3A18%3A26Z&se=2015-04-30T02%3A23%3A26Z&sr=b&sp=rw&sip=168.1.5.60-168.1.5.70&spr=https&sig=F%6GRVAZ5Cdj2Pw4tgU7IlSTkWgn7bUkkAg8P6HESXwmf%4B
Break down of the example URI:
- Resource URI:
https://myaccount.blob.core.windows.net/ ?restype=service &comp=properties
Defines the azure storage endpoint.
-When the URI is used with get , the storage properties is retrieved.
-When the URI is used with set , the storage properties is configured. - Storage version:
sv=2015-04-05 - Storage service:
ss=bf - Start time:
st=2015-04-29T22%3A18%3A26Z - Expiry time:
se=2015-04-30T02%3A23%3A26Z - Resource:
sr=b - Permissions:
sp=rw - ip range:
sip=168.1.5.60-168.1.5.70 - Protocol:
spr=https
10.
sig=F%6GRVAZ5Cdj2Pw4tgU7Il STkWgn7bUkkAg8P6HESXwmf%4B
What is access policies?
*Access policies are used to manage SAS and their permissions at the container or blob level.
*Provides a way to grant fine grained and time bound access to resources within a storage account without sharing the account keys
*By configuring a stored access policy , you define the start time , expiration time and permissions in the policy and then associate a SAS with that policy
- You can revoke a SAS by deleting a stored access policy.
- When you set the start time , expiration date and permissions they are inherited from the policy.
!!If you remove a stored access policy and then create a new one with the same name it will be enabled again!!
Configure stored access policies
*https://learn.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy
*https://learn.microsoft.com/en-us/rest/api/storageservices/set-share-acl
*https://learn.microsoft.com/en-us/rest/api/storageservices/set-table-acl
*https://learn.microsoft.com/en-us/rest/api/storageservices/set-container-acl
Create or modify stored access policy:
*You can set a maximum of five access polices on a table , container , queue , or shared at any given time
- Permissions such as read , write , delete and time duration can be set.
- Allows you to change the time duration , expiration date while the SAS token is valid.
- To create or modify a stored access policy , you call the Set ACL operation for the resource( Set Container ACL , set queue ACL , Set table ACL or Set Share ACL) with a request body that specifies the terms of the access policy.
Manage access keys
https://learn.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal
Provides full access to the storage account.
- Storage accounts have 2 access keys a primary and secondary that can be rotated.
- When you rotate a key it will permanently delete the current key and regenerate a new one.
Configure identity-based access for Azure Files
What is the difference between SAS token , Access policies and Access keys and there use cases?
- Shared Access Signature
A SAS token is a secure way to delegate limited access to resources in a storage account.
Use cases:
-Delegating time limited access to specific containers , blobs , queues or tables.
- Allows for clients to to perform specific operations such as read , write and delete without sharing the storage account keys - Access policies
Are associated with containers in blob storage and allow you to manage shared access keys at the container level.
Allows you to change the permissions and duration for SAS tokens for the container.
Use cases:
- Centralized management of SAS tokens for a specific container.
- Granting fine grained access control at the container level
- Access keys
Long lived , symmetric keys that are associated with a storage account. Each storage account has 2 access keys:
Primary and secondary that provide full control over the storage account.
- Provides continues access to the entire storage account until it is regenerated.
use cases:
- used for long term and full access to storage account
- admin tasks such as regenerating keys , managing access policies and configuring storage account settings.
-