How to Secure Azure Storage Accounts

Azure Storage provides multilayered security to protect data. It gives developers an abundance of security options to ensure their cloud data is secure. Azure services like blob storage, file shares, table storage, and data lake stores all expand upon the offerings of Azure Storage and the security demands required. In this Azure storage tutorial, we will explain how to use access keys and other cloud security options to secure Azure Storage accounts.

Azure Storage accounts give a few significant security benefits to protect data in the cloud, including:

  • Protects the information in storage
  • Protects information being sent to storage
  • Supports cross-domain program access

Read: Introduction to Azure DevOps

What are Azure Storage Account Keys?

Azure Storage accounts can approve authorized apps like Active Directory to control access to the data in blobs and queues. This verification approach is recommended. Another approach could be a shared key or shared secret for different storage models. This authentication alternative is one of the easiest to use and it supports blobs, files, queues, and tables.

We will demonstrate this security method here. To begin, open the Azure Management Portal and go to Azure Storage Account, then click on Access Keys, as depicted in the following image:

Azure Access Keys Tutorial

Access Azure Storage Access Keys

In Azure Storage Accounts there are two keys that are created by Azure for storage accounts: primary and secondary. These two keys are 512-bit storage access keys that are used for authenticating access to Azure storage accounts. They give access to everything in the account. Developers can find these storage account keys in the Azure Portal view of the storage account from Settings > Access Keys. See below:

Examples of Azure Access Keys

Azure Storage Keys

Read: How to Access Azure Storage Account File Shares from .NET

Types of Azure Storage Access Control

Before going further, let’s briefly discuss a few types of access control methods Azure employees for storage accounts.

Role Based Access Control

To access data in a storage account, the customer makes a request over HTTP or HTTPS. Azure Active Directory and role-based access control (RBAC) are supported by Azure Storage for resource management and data operations.

Cross-origin Resource Sharing (CORS)

Cross-origin resource sharing (CORS) supports cross-domain access for Azure Storage. CORS uses HTTP headers allowing web applications at one domain to access information from a server of different domains.

Azure Encryption

Data in a new storage account is encrypted with Microsoft-managed keys by default. You can continue to rely on Microsoft-managed keys for the encryption of your data, or you can manage encryption with your own keys, which is known as customer-managed keys:

Azure Encryption

Azure Storage Encryption

Setting up Shared Access Signatures in Azure Storage

Let’s continue. Navigate to your Azure Management Portal and go to Azure Storage Account, then click on Shared Access Signature.

Access keys provide complete access to the entire storage account. Using Shared Access Signature (SAS), programmers can restrict access to individual storage services. Developers just need to select the required services that they would like to restrict access to using SAS. You can choose multiple services to restrict.

Azure storage share access

Azure Storage Share Access Signature

If you want to allow access by permissions, you can provide permissions based on the following, under the Allowed Permissions section:

The Allowed Permissions section allows developers to provide different permissions to different levels of access. You can have one developer work on all the items that have Read Operations and another to work on Update Operations.

Coders can also control storage access by specifying Start Date/Time and End Date/Time, as shown here:

Azure storage account permissions

Control Access based on Date and Time

You can further configure these Start and End Date/times based on time zone.

Azure storage access tutorial

If you want to control access by protocol (like HTTP/HTTPS), you can disable basic HTTP requests by checking the HTTPS only radio button:

azure storage access tutorials

Allowed Protocols

Finally, you can control Access by IP Address too:

Azure storage access by IP

Allowed IP Addresses

Once you configure all of the required settings and determine access levels, click on the Generate SAS button, which is available at the bottom of the page, to generate the SAS token:

Generating SAS Tokens in Azure

Read more Microsoft Azure tutorials and guides.

More by Author

Must Read