In this session, we'll break down security for Azure Storage end-to-end in a variety of scenarios. Resources from this session are detailed below, along with the link to the video on YouTube.
- YouTube Video
- Related Installments
- Related Articles and Tutorials
- Azure Cloud Shell transcript (from live session)
SPONSOR: Need to stop and start your development VMs on a schedule? The Azure Resource Scheduler let's you schedule up to 10 Azure VMs for FREE! Learn more HERE
Watch the video on YouTube at https://youtu.be/C8ZfsVp3qdQ
TO SUBSCRIBE: Click HERE to follow us on Youtube so you get a heads up on future videos!
A few areas of Azure Storage security we covered in this video include:
- Role based access control (RBAC)
- Access Keys
- Shared Access Signatures (SAS)
- Stored Access Policies
- Resource Firewall
- Storage log destinations
- Legal Hold
- Authentication for Azure Files
- Storage Access Key Rotation
You will find some additional code samples related to Azure Storage security in the articles below:
Day 89 - Options for Managing Access Security to Azure Storage
Day 24 - Azure Storage and Secrets in Infrastructure-as-Code (Part 3)
Day 23 - Azure Storage and Secrets in Infrastructure-as-Code (Part 2)
Day 22 - Azure Storage and Secrets in Infrastructure-as-Code (Part 1)
Here are a few articles on the Microsoft Docs site that are central to the Azure Storage security topics covered in this installment.
Authorizing access to data in Azure Storage
TUTORIAL: Set up Azure Key Vault with key rotation and auditing
Rotate storage account access keys with PowerShell
Manage storage account keys with Key Vault and the Azure CLI
Configure Azure AD authentication for Azure Storage
Overview of Azure Files identity-based authentication support for SMB access
Create SAS tokens and integrate with Azure Key Vault
Grant limited access to Azure Storage resources using shared access signatures (SAS)
Below is the Cloud Shell transcript from the Day 105 discussion.
az group create \
--name next-100-days-str \
--location westeurope
RANDOM_ALPHA=$(cat /proc/sys/kernel/random/uuid | tr -dc 'a-z0-9' | fold -w 4 | head -n 1)
az storage account create \
--name "next100daysstr${RANDOM_ALPHA}" \
--resource-group next-100-days-str \
--location westeurope \
--sku Standard_LRS \
--kind StorageV2 \
--output table
az storage account keys list \
--account-name "next100daysstr${RANDOM_ALPHA}" \
--resource-group next-100-days-str
az storage account keys list \
--account-name "next100daysstr${RANDOM_ALPHA}" \
--resource-group next-100-days-str \
--query [0].value \
--output tsv
az storage account keys list \
--account-name "next100daysstr${RANDOM_ALPHA}" \
--resource-group next-100-days-str \
--query [1].value \
--output tsv
KEY_VAL=$(az storage account keys list --account-name "next100daysstr${RANDOM_ALPHA}" --resource-group next-100-days-str --query [1].value --output tsv)This has been a deep drive into securing Azure Storage. If you've never tried it, try the many code samples we have provided here to get some hands-on practice.