Secure your Azure Storage account Flashcards

1
Q

Encryption at rest

A

All data written to Azure Storage is automatically encrypted by Storage Service Encryption (SSE) with a 256-bit Advanced Encryption Standard (AES) cipher, and is FIPS 140-2 compliant. SSE automatically encrypts data when writing it to Azure Storage. When you read data from Azure Storage, Azure Storage decrypts the data before returning it. This process incurs no additional charges and doesn’t degrade performance. It can’t be disabled.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Azure Disk Encryption

A

For virtual machines (VMs), Azure lets you encrypt virtual hard disks (VHDs) by using Azure Disk Encryption. This encryption uses BitLocker for Windows images, and it uses dm-crypt for Linux.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Azure Key Vault

A

Azure Key Vault stores the keys automatically to help you control and manage the disk-encryption keys and secrets. So even if someone gets access to the VHD image and downloads it, they can’t access the data on the VHD.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Encryption in transit

A

Keep your data secure by enabling transport-level security between Azure and the client. Always use HTTPS to secure communication over the public internet. When you call the REST APIs to access objects in storage accounts, you can enforce the use of HTTPS by requiring secure transfer for the storage account. After you enable secure transfer, connections that use HTTP will be refused. This flag will also enforce secure transfer over SMB by requiring SMB 3.0 for all file share mounts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

CORS support

A

Azure Storage supports cross-domain access through cross-origin resource sharing (CORS). CORS uses HTTP headers so that a web application at one domain can access resources from a server at a different domain. By using CORS, web apps ensure that they load only authorized content from authorized sources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Role-based access control

A

The service ensures that the client has the permissions required to access the data. You can choose from several access options. Arguably, the most flexible option is role-based access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Auditing access

A

Auditing is another part of controlling access. You can audit Azure Storage access by using the built-in Storage Analytics service.

Storage Analytics logs every operation in real time, and you can search the Storage Analytics logs for specific requests. Filter based on the authentication mechanism, the success of the operation, or the resource that was accessed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

storage account keys.

A

Azure creates two of these keys (primary and secondary) for each storage account you create. The keys give access to everything in the account.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Protecting shared keys

A

The storage account has only two keys, and they provide full access to the account. Because these keys are powerful, use them only with trusted in-house applications that you control completely.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

reasons to regenerate your storage account keys:

A

For security reasons, you might regenerate keys periodically.
If someone hacks into an application and gets the key that was hard-coded or saved in a configuration file, regenerate the key. The compromised key can give the hacker full access to your storage account.
If your team is using a Storage Explorer application that keeps the storage account key, and one of the team members leaves, regenerate the key. Otherwise, the application will continue to work, giving the former team member access to your storage account.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

refresh keys

A

Change each trusted app to use the secondary key.

Refresh the primary key in the Azure portal. Consider this as the new secondary key value.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Types of shared access signatures

A

service-level shared access signature

account-level shared access signature

How well did you know this?
1
Not at all
2
3
4
5
Perfectly