Azure Storage provides multilayered security to protect data. It gives developers an abundance of security options to ensure their cloud data is secure. Azure services like blob storage, file shares, table storage, and data lake stores all expand upon the offerings of Azure Storage and the security demands required. In this Azure storage tutorial, we will explain how to use access keys and other cloud security options to secure Azure Storage accounts.
Azure Storage accounts give a few significant security benefits to protect data in the cloud, including:
- Protects the information in storage
- Protects information being sent to storage
- Supports cross-domain program access
Read: Introduction to Azure DevOps
What are Azure Storage Account Keys?
Azure Storage accounts can approve authorized apps like Active Directory to control access to the data in blobs and queues. This verification approach is recommended. Another approach could be a shared key or shared secret for different storage models. This authentication alternative is one of the easiest to use and it supports blobs, files, queues, and tables.
We will demonstrate this security method here. To begin, open the Azure Management Portal and go to Azure Storage Account, then click on Access Keys, as depicted in the following image:
Access Azure Storage Access Keys
In Azure Storage Accounts there are two keys that are created by Azure for storage accounts: primary and secondary. These two keys are 512-bit storage access keys that are used for authenticating access to Azure storage accounts. They give access to everything in the account. Developers can find these storage account keys in the Azure Portal view of the storage account from Settings > Access Keys. See below:
Azure Storage Keys
Read: How to Access Azure Storage Account File Shares from .NET
Types of Azure Storage Access Control
Before going further, let’s briefly discuss a few types of access control methods Azure employees for storage accounts.
Role Based Access Control
To access data in a storage account, the customer makes a request over HTTP or HTTPS. Azure Active Directory and role-based access control (RBAC) are supported by Azure Storage for resource management and data operations.
Cross-origin Resource Sharing (CORS)
Cross-origin resource sharing (CORS) supports cross-domain access for Azure Storage. CORS uses HTTP headers allowing web applications at one domain to access information from a server of different domains.
Azure Encryption
Data in a new storage account is encrypted with Microsoft-managed keys by default. You can continue to rely on Microsoft-managed keys for the encryption of your data, or you can manage encryption with your own keys, which is known as customer-managed keys:
Azure Storage Encryption
Setting up Shared Access Signatures in Azure Storage
Let’s continue. Navigate to your Azure Management Portal and go to Azure Storage Account, then click on Shared Access Signature.
Access keys provide complete access to the entire storage account. Using Shared Access Signature (SAS), programmers can restrict access to individual storage services. Developers just need to select the required services that they would like to restrict access to using SAS. You can choose multiple services to restrict.
Azure Storage Share Access Signature
If you want to allow access by permissions, you can provide permissions based on the following, under the Allowed Permissions section:
The Allowed Permissions section allows developers to provide different permissions to different levels of access. You can have one developer work on all the items that have Read Operations and another to work on Update Operations.
Coders can also control storage access by specifying Start Date/Time and End Date/Time, as shown here:
Control Access based on Date and Time
You can further configure these Start and End Date/times based on time zone.
If you want to control access by protocol (like HTTP/HTTPS), you can disable basic HTTP requests by checking the HTTPS only radio button:
Allowed Protocols
Finally, you can control Access by IP Address too:
Allowed IP Addresses
Once you configure all of the required settings and determine access levels, click on the Generate SAS button, which is available at the bottom of the page, to generate the SAS token:
Read more Microsoft Azure tutorials and guides.