Securing Azure Storage Account

Securing Azure Storage Account

In this post, we will look into possible options to secure an Azure storage account. I will describe security following two security controls

  1. Network-level security
  2. Access Security

Storage Account Access Keys

Access Keys

image

Shared Account Signatures

image

Encryption

Azure Storage automatically encrypts your data with 256-bit AES
encryption. Data in Azure Storage is encrypted and decrypted
transparently.
Azure Storage encryption is enabled for all new and existing storage
accounts and cannot be disabled.
All Azure Storage account tiers and deployment models are
encrypted.
Azure customers have a choice of choosing Microsoft to manage the
the encryption key for storage accounts, or we can provide our key
and manage the key using the Azure Key Vault.
Customer-managed keys can be configured using the Azure Portal,
PowerShell, and the Azure CLI.

 

image

 

Create service endpoint

 

image

 

We  can create Virtual Network service endpoints for our subnets

 

There are two key components of Storage Account (SA) network access:
1. Virtual Network Service Endpoint
2. Storage Firewall
Virtual Network (VNet) Service Endpoints are responsible for private connectivity between your VNets and
SAs. Service Endpoints can be used for other services – you can find more information in the Networking
section.
Storage Firewalls provide network-level access controls and can be used independently, or in conjunction
with Service Endpoints. They provide the ability to allow and deny SA access based on IP addressing.
Key information:
– Storage Firewall rules apply to all network protocols (including REST and SMB).
– By default, Storage Accounts are accessed over the public Internet.
– Enabling the firewall creates a DEFAULT DENY rule which will block all access to a Storage Account.
– Whitelisted IP addresses and Exceptions can be enabled to grant access.
– Only Public IP addresses can be added to network rules; VNets can be used for granting private access.
– Exceptions can be enabled to grant Microsoft services and common types of access (logging/metrics).

 

image

 

Created

 

image

If we check the routing table for our NICs in our Vnet we can see that now traffic from NIC to our storage account is routed internally in the azure private network image

We can additionally create service endpoint policy for more granular control

image

Allow access to certain subnets within your subscription to your storage account instead of giving access to all networks.

image

Using resource firewall to control access to the storage account

image

Enable Soft Delete function

image

Comments are closed.