In this post, we will look into possible options to secure an Azure storage account. I will describe security following two security controls
- Network-level security
- Access Security
Storage Account Access Keys
Shared Account Signatures
Azure Storage automatically encrypts your data with 256-bit AES
encryption. Data in Azure Storage is encrypted and decrypted
Azure Storage encryption is enabled for all new and existing storage
accounts and cannot be disabled.
All Azure Storage account tiers and deployment models are
Azure customers have a choice of choosing Microsoft to manage the
the encryption key for storage accounts, or we can provide our key
and manage the key using the Azure Key Vault.
Customer-managed keys can be configured using the Azure Portal,
PowerShell, and the Azure CLI.
Create service endpoint
We can create Virtual Network service endpoints for our subnets
There are two key components of Storage Account (SA) network access:
1. Virtual Network Service Endpoint
2. Storage Firewall
Virtual Network (VNet) Service Endpoints are responsible for private connectivity between your VNets and
SAs. Service Endpoints can be used for other services – you can find more information in the Networking
Storage Firewalls provide network-level access controls and can be used independently, or in conjunction
with Service Endpoints. They provide the ability to allow and deny SA access based on IP addressing.
– Storage Firewall rules apply to all network protocols (including REST and SMB).
– By default, Storage Accounts are accessed over the public Internet.
– Enabling the firewall creates a DEFAULT DENY rule which will block all access to a Storage Account.
– Whitelisted IP addresses and Exceptions can be enabled to grant access.
– Only Public IP addresses can be added to network rules; VNets can be used for granting private access.
– Exceptions can be enabled to grant Microsoft services and common types of access (logging/metrics).
We can additionally create service endpoint policy for more granular control
Allow access to certain subnets within your subscription to your storage account instead of giving access to all networks.
Using resource firewall to control access to the storage account
Enable Soft Delete function