Skill 2.1 Secure Storage Flashcards
How are storage accounts managed
through Azure resource manager, Mangement operations are authenticated and authroized using Azure Active directory and RBAC
How are storage account services exposed
as a interent facing endpoint
What does a storage firewall do
allows you to limit access to specific IP addresses or a range
What route do service endpoints create
a direct network route from the virtual network to the endpoitn
What are the two steps to configure service endpoints
- From the virtual network subnet create the route from the subnet to the storage service but does not restrict which storage account the virtual network can use
- Configuring which virtual networks can access a particular storage account.
Describe blob storage access levels
by default no public read access is enabled for anonymous users, and only users with rights granted through RBAC or with the storage account name and key will have access to the stored blobs
What are blob storage access levels,
Private – With this option only the stroage account owber can access the container and its blobs
Blob – with this optio nonly blobs within the container can be accessed anonymously
Container – blobs and there containers can be access anonymously
What is a Shared Access Signature Token (SAS Token)
URI query string parameter that grans access to specific containers, blobs, queues, and tables. Used to grant access to a client that should not have access to the entire storage account
How do SAS tokens grant access to resources
for a specific period of time with a specified set of instruction
What are SAS tokens widely used for
to copy blobs or files to another storage account
What protocol do SAS tokens use
HTTPS protocol
What are blob
Provides a highly scalable service for storing abitrary data such as text or binary data
What are the three types of blobs
Append Blobs
Block Blobs
Page Blobs
What are storage account service tables
Provides a NoSQL-style store for storing structured data. Unlike a relational database, tables in Azure storage do not require a fixed schema, so different entries in the same table can have different fields
What are storage account Queues
Provide a reliable message queueing between applications
What are storage account files
Managed files shares that can be used by either Azure VM or on-prem servers
What Storage Account Service Disks do
Provides a persistent volume for Azure VM which can be attached as a virtual hard disk
What are the rules for naming storage accounts
Storage account name must be unique across all existing storage account names in Azure
Must be between 3 and 24 characters adn can contain only lowercase letters and numbers
What is a standard performance tier
Supports all storage services. Blobs, tables files, queues, and unmanged Azure virtual machine disks. Uses magnetic disks to provide cost-efficient and reliable storage
What is the premium performance tier
Designed to support workloads with gratr demand on I/O and is backed by high performance SSDS.
What kind of storage is supported by the standard account tier
General purpose v1 and V2 and blob
What kind of storage is supported by Premium tier
General-Purpose V1 and V2, BlockBlobStorage and FileStorage
What is a Blob storage account
specialized storage account used to store block blobs and append blobs. Page blobs cannot be stored in this account
What account types can be upgraded to General-Purpose V2
General-Purpose V2 and Blob storage though the process can’t be reversed.
What feature does a General-Purpose V2 Account support
Supports blob, File, table, and queue, suppors unmanged disk, standard and performance tiers.
Supports Hot, Cool, and ARchive Access
What storage features does General Purpose V1 Support have
Supports Blob, File, Table, and Queue, and unmanaged disk access
Standard and Performance Tiers, N/A for supported access tiers.
What features does blob storage support have
Supports blob, block and append blobs only. No unmanaged disk support.
Standard performance tierW
What features does blob block storage have
Supports blob, block adn append blobs only. No unmanaged disk support. Premium performance tier. N/A for access tiers
What features does the file storage tier have
Supports only file service. No unmanaged disk support. Supports the premium performance tier
What is locally redundant storage (LRS)
Three synchronous copies of data within a single datacenter. Available for general-purpose or blob storage accounts at both the standard and performance tier
What is Zone Redundant Storage (ZRS)
Make three synchronous copies to three seperate availability zones within a region. Available for General Purpose V2 storage accounts only.
What is geographically redundant storage (GRS)
Same as LRS (three local copies), plus three additional asynchronous copies to a second data center hundreds of miles away from the primary region. Data replication typically occurs within 15 minutes although no SLA is provided
Read Access GRS
Same capabilities as GRS, plus you have read-only access to teh data in teh secondary data center.
What are the Azure blob storage tiers
Hot
Cool
Archive
Describe the blob Cool Storage Tier
Data is stored for at least 30 days
Describe the Archive blob storage tier
Long-term storage, Will remain for 180 days.
What storage type is User delegation through Azure AD available with
Blob storage
What allows you to change the access parameters (start and end time, permissions) as part of the token.
Stored access policies, Allows for modifying of access of existing tokens without having to reissue them
How many stored access policies can you have on a container, table, queue, or file share
five
What are access keys used for
Allow full access to all data in all service within the storage account. You can create, read, update, and delete container, blobs, tables, queues, and file shares. You will have full administrative access to everything other then the storage account itself
What are access keys used with
the storage account name and an access key
What does rolling a storage account access key do
invalidate any SAS tokens that were generated using that key
What does Azure key vault do
helps safeguard storage account access keys as well as cryptographic keys and secrets used by cloud applications and services such as authentication keys
What is AAD authentication
recently addes authorization mechanism for Azure Storage.
What authentication do accounts created with Azure Resource Manager use
authentication Azure AD authorization
what can SAS signatures be signed by
Azure AD credentials to provide access to storage accounts
What is a managed service identity (MSI)
Can be used for access blobs or queues from an Azure entity like Azure VM, virtual machine scale set, or an Azure functions app
What is a container RBAC resource role scope
Selects Blobs, meta data and properties of the container
What is a Queue RBAC resource role
All the messages inside the queue, as well as queue properties and metadata will inherit the role assignment when this scope is selected
What is a Storage account RBAC resource scope
Under this scope, the role assignment will be applicable at the storage account level. All the containers, blobs, queues, and messages within the storage account will inherit the role assignment when this scope is selected
What are the two types of Azure identity authentication
On premesis Active Directory Domain Services (AD DS)
Azure Active directory Domain services (Azure AD DS)
What must be used to access Azure files by using SAS
You must use the REST method
