Security for Storage
Explore the methods used for securing storage resources in Azure.
Security measures are required for every request against a resource in the Blob, File, Queue, or Table storage. Secure storage resources guarantee that they are only accessible when we want them and only to the users or applications to which we choose to grant access. They also ensure that only specific users or programs may access the resources. Let’s discuss the measures we can take to secure the storage resources in Azure.
Access control for storage accounts
Storage account provides the following options for implementing access control:
Integration with Microsoft Entra ID: Azure Storage integrates with Microsoft Entra ID to enable identity-based authorization resources of requests made to the Queue and Blob services. We might provide users, groups, or applications permission to access blob and queue resources utilizing the role-based access control (RBAC) feature of Microsoft Entra ID. We can grant permissions to an individual container or queue at any chosen level. We won’t have to worry about storing our account access key with our code when we use authorization requests from our applications. Authorization can still be used with our blob and queue applications; however, Microsoft advises switching to Microsoft Entra Domain Services for Azure Files. Microsoft Entra Domain Services enables Azure Files to use identity-based permission for Server Message Block (SMB). Using RBAC, we can exercise granular control over a client’s access to the Azure Files resources within a storage account.
Anonymous access to containers and blobs: We can enable anonymous, public read access to a container and its blobs. If we follow these steps, we can provide access to these resources for reading only without disclosing our account key or requesting a shared access signature from the recipient (SAS). When we want specific blobs to always be available for anonymous read access, the most effective solution is granting public read access. We can also consider employing the shared access signature to exercise more granular control.
SAS tokens
A shared access signature (SAS) is a special token that grants limited access permissions to specific Azure Storage resources. It’s particularly useful when we need to delegate access to certain resources without sharing our storage account keys, which should be kept confidential. By generating a SAS and providing it to trusted clients, we can control their access to resources for a predefined period and with specific permissions. The SAS token, embedded within a URI, contains all the necessary information for granting restricted access. Clients equipped with the SAS and the associated URI can then perform operations on Azure ...