Cloud storage accounts are a vital component of any cloud computing strategy. With cloud storage, you can easily store and manage important data related to your resources, including databases, website content, backups, and more. In this blog post, we’ll explore the security features of Azure storage accounts, including the different types of authentication supported and when to use them. We’ll also provide a detailed guide on how to secure your storage account using various authentication methods. Our focus will be on storage accounts, blobs within a storage account, and Azure File Storage. By the end of this post, you’ll have a better understanding of how to keep your cloud storage secure and protected.
Storage authentication types:
Azure storage accounts offer several authentication methods, including SAS, Azure Storage keys, and Azure Active Directory.
SAS, Shared Access Signature:
Sharing content from your Azure storage account or specific services within it, such as Azure File Shares, Blobs, Tables, and Queues, is easy and secure. You can grant specific access permissions per service using a Shared Access Signature (SAS) URL. With a SAS, you can provide a customer with temporary access with specific permissions, such as Read, Create, Write, or Delete access. Simply define a start and expiry time for the SAS, and you’re ready to generate the SAS token and URL. This is an ideal way to provide one-time access to a customer who doesn’t require permanent access to your storage account. Once you’ve generated the blob SAS token and URL, you can share it with anyone who needs to access that specific blob.
Azure Storage Keys:
Your Azure Storage Account Name and key are like the password to your storage account, granting read, write, and delete permissions to all its services. Therefore, it’s crucial to keep them secure and not share them with anyone. Implement a key rotation policy to ensure your account remains secure. This type of authentication provides access to all services within a storage account, including Containers, Azure File Shares, Queues, and Tables. To locate your Storage account key via the Azure Portal:
Azure Active Directory:
Currently, authentication via Azure Active Directory (AAD) supports storage accounts, but only Azure Blobs and Queues are currently supported. To use Azure Files, AAD DS must be enabled. The screenshot below illustrates how to grant access to a user with specific access roles: