Having a storage account in the cloud is one of the essential pieces of the cloud puzzle. You can store specific data pertaining to your resources, such as databases, website data content, backups or just any type of data. In this blog post, we’ll discuss the security facet of Azure storage accounts, specifically discussing the type of supported authentications and when to use them, then we’ll dive into how to properly secure a storage account through different authentication methods. We’ll be focusing on Storage accounts, then blobs within a storage account and Azure File Storage.
Storage authentication types:Azure storage accounts support multiple ways of authentication, SAS, Azure Storage keys and Azure Active Directory.
SAS, Shared Access Signature: allows you to share content of a storage account, or specific services within it(Azure File Shares, Blobs, Tables, Queues) with specific access permissions per service.
You can provide a customer with a SAS URL with specific access, either Read, Create, Write or Delete access, a SAS always has to have a set time for it to expire. In the example below, we generate a SAS for a blob(a picture), you have to define a Start and Expiry time for the SAS, this is a very suitable way to provide a one time access to a customer which doesn’t have to have permanent access to your storage account, once ready, hit the Generate blob SAS token and URL, and you can share it with whomever you want to access that blob.
Azure Storage Keys: Azure Storage Account Name and key is a crucial credential which must not be compromised or shared, think of it as the password to your storage account, with read, write and delete permissions to all the services in the storage account, it must be properly secured, and a key rotation policy must be in place to secure your account.
This type of authentication provides also all accesses to the services within a storage account, Containers, Azure File share, Queue and Tables.This is where you can locate your Storage account key via Portal :
Azure Active Directory: Authentication via Azure AD currently supports storage accounts, however only Azure Blobs and Queues are supported. Azure Files works only with AAD DS enabled. The below screenshot shows how to provide access to a user, with specific Access roles:
Azure Storage Firewall:Azure Storage Firewall is one of the best ways to restrict access to your storage accounts based on specific IP addresses, or an IP address range. The only downside to it at the moment is that not all MS Azure services are supported yet, so you might run into services that would be unable to access the storage account from within Azure. Below is a screenshot from portal to allow you to enable the Storage Account firewall: