Stoage Account Authorization Flashcards
With Shared Access Key Authorization, how many access keys are created by default?
Two Default keys
What kind of access does having a Shared Access Key to a Storage Account grant you?
Gives access to your entire storage account, basically root/admin access.
Where does Microsoft recommend for storing your Shared Access Keys?
Azure Key Vault
What types of Shared Access Signatures (SAS) does Azure support?
- User Delegation
- Service
- Account
What is User Delegation SAS?
A user delegation SAS is secured with Azure Active Directory (Azure AD) credentials and also by the permissions specified for the SAS. A user delegation SAS applies to Blob storage only.
What is Service SAS?
A service SAS is secured with the storage account key. A service SAS delegates access to a resource in only one of the Azure Storage services: Blob storage, Queue storage, Table storage, or Azure Files.
What is Account SAS?
An account SAS is secured with the storage account key. An account SAS delegates access to resources in one or more of the storage services.
All the operations available via a service or user delegation SAS are also available via an account SAS.
Azure AD Storage Authorization
Uses Azure AD to authorize requests to blob and queue data.
You can use Azure role-based access control (RBAC) to grant permissions to a security principal, which may be a user, group, or application service principal.
In Azure AD Storage Authentication, what two sets of permissions are needed for a Service Principal to access storage resources?
- Data Layer Permissions
- Management Permissions
With the Layered Security Model, what rules can you limit access to storage accounts?
(Firewalls and Virtual Networks)
- Limit by Subnets in Azure vNets
- Limit by IP addressees
- Limit by IP ranges
When limiting access to Storage Accounts through with firewalls or virtual networks, is Authorization still required, or can it be optional?
Authorization is still required with Azure AD, Account Access Key or SAS token.
