Open YouTube

Configure Azure Storage security | AZ-104 | Episode 18

autoenpublicupdated

Storage security overview

  1. Azure resources are generally secure by default, so storage access should be opened only to the level required for the workload.
  2. The module focuses on blob storage security strategies, including SAS tokens, RBAC permissions, access controls, and encryption.
  3. Azure storage data is replicated at least three times and encrypted at rest through Storage Service Encryption.

RBAC and SAS access

  1. RBAC provides authenticated, user- or group-based access control, and permissions are usually assigned to groups rather than individual users.
  2. Shared access signatures provide token-based access that can be distributed to users, but the token must be protected and constrained.
  3. SAS tokens can be limited by permissions, start time, expiry time, IP address range, and protocol.
  4. SAS token URLs include the storage account endpoint, container or object path, permission and time parameters, and the secure token string.

Anonymous and private access

  1. Containers default to private access with no anonymous access, reflecting Azure's secure-by-default model.
  2. The demonstration shows enabling anonymous access, uploading a blob, and accessing it through its public URL.
  3. When the container is changed back to private, the object is no longer reachable and Azure returns a message indicating the object does not exist, helping reduce footprinting.
  4. A SAS token can allow access to a private blob without changing the container to public access.

Policies, lifecycle, and tiers

  1. Lifecycle management rules can move blobs between tiers based on conditions such as last modified date.
  2. Stored access policies can manage access for groups of files in a container, with up to five policies available.
  3. Immutable storage options include legal retention holds and time-based holds that retain deleted objects for a configured period.
  4. Storage tier inheritance is demonstrated by changing the account default tier and showing how inferred blob tiers update while explicitly set tiers remain unchanged.

Replication demonstration

  1. Object replication can copy data from one storage account container to another, either for everything, only new objects, or custom selections.
  2. The demonstration uses only-new-object replication, so only the newly uploaded blob appears in the destination container.

Encryption keys

  1. Storage accounts use Microsoft-managed keys by default, which handle encryption without requiring users to provide keys during normal access.
  2. Customers can bring their own keys when policy or governance requirements demand direct control over encryption keys.
  3. Key Vault is recommended for storing and retrieving customer-managed keys and SAS tokens.

Security best practices

  1. Microsoft recommended practices and default values are important to remember for the AZ-104 exam.
  2. Use HTTPS wherever possible instead of unencrypted HTTP.
  3. Keep the number of storage policies low and delete policies that are no longer used.
  4. Use short-lived SAS token expirations and account for time zones when sharing tokens globally.
  5. Storage security should be understood in the context of the specific Azure service or storage role being managed.

Actiepunten

  1. Use HTTPS for storage access wherever possible.
  2. Store SAS tokens and customer-managed keys in Azure Key Vault when possible.
  3. Reduce the number of storage access policies and delete policies that are no longer in use.
  4. Set near-term expirations for SAS tokens.
  5. Account for time zones when generating and distributing SAS tokens for global users.
  6. Talk to a security specialist or use trusted tools to identify storage account security best practices when unfamiliar with the options.
  7. Continue learning by watching other course videos or exploring Microsoft Learn.