Securing Azure Storage starts with an overview outlining the various authentication and authorization methods available to access Azure storage resources. We then look at each method, examining its benefits and disadvantages. Setting up access to storage resources using account keys and the various shared access signature variants demonstrates the practical implications and use cases of each access method. The course ends with a look at implementing Azure files as a mapped drive within an Azure virtual machine.
Learning Objectives
- Overview of Azure account storage authentication and access
- Create an account key rotation policy
- See how to integrate storage account keys with Azure Key Vault
- Implement Shared Access Signatures
- Map a virtual machine drive to an Azure file share
Intended Audience
- Students working towards the AZ-500: Microsoft Azure Security Technologies exam
- Those wanting to learn how to secure an Azure storage account
Prerequisites
- Be familiar with Active Directory concepts such as managed identities and role-based access control, Azure Key Vault, and the basics of Azure storage resources
In terms of authentication and authorization, storage is unique compared to other Azure resources due to the variety of ways it can be accessed. The main driver is allowing public or unknown users to access storage account collections and items. This is best exemplified by shared access signatures - SASs. A SAS URL contains a token for authentication, parameters specifying the type of access, and the location of the resource. Anyone possessing the SAS can access the storage account resource. The token component is generated using one of two keys associated with the storage account. These keys could be used for global and unfettered access to all storage account resources. However, using account keys in anything but the most exceptional and limited circumstances would violate pretty much every rule of good governance and security.
Shared access signatures come in two varieties – account and service level SASs. Account-level SASs work with specific storage services and resource types, while service SASs operate on instances of storage containers and objects. In the context of all storage, a container refers to a collection of items, not just blobs. SASs allow more accurate targeting of access permissions compare to account keys and service SASs more than account SASs. However, they all suffer from the same management problem. Once a key or SAS based on that key is given out, the only way to revoke access is to regenerate the storage account key, thereby invalidating all other SASs.
Creating a service SAS based on an access policy will enable you to revoke or disable the SAS if you no longer want it to have access to storage resources. Alternatively, user delegation is a way to use RBAC in conjunction with SAS. The permissions of a user-delegated SAS are the intersection of the SAS permissions and the storage account role assignments of the identity that created the SAS.
Azure file shares using the SMB protocol are a way to integrate Azure storage into an online VM or hybrid environment using Active Directory authentication. Depending on your requirements, i.e., on-premise, hybrid, etc., you can manage user access from Azure AD or using NTFS ACLs. Unlike blob containers that allow anonymous access, file shares can only be accessed by active directory users.
My name is Hallam Webber, and this has been an in-depth look at authentication and authorization in the context of Azure storage accounts. Until next time keep your blobs safe and secure.
Hallam is a software architect with over 20 years experience across a wide range of industries. He began his software career as a Delphi/Interbase disciple but changed his allegiance to Microsoft with its deep and broad ecosystem. While Hallam has designed and crafted custom software utilizing web, mobile and desktop technologies, good quality reliable data is the key to a successful solution. The challenge of quickly turning data into useful information for digestion by humans and machines has led Hallam to specialize in database design and process automation. Showing customers how leverage new technology to change and improve their business processes is one of the key drivers keeping Hallam coming back to the keyboard.