Azure Storage Security
1. Management Plane Security
- The management plane involves operations that manage the storage account itself, not the stored data.
- Role-Based Access Control (RBAC) is the primary method for managing access:
- RBAC allows assigning roles (like Owner, Contributor, or Reader) through Azure Active Directory (AAD) to control user access to resources in an Azure subscription.
- Key Points:
- Assigning RBAC roles controls access to management operations, not the data.
- Access to data requires either storage account keys or explicit permissions to the data objects.
- Custom roles can be created with specific action permissions tailored to your security requirements.
2. Data Plane Security
- The data plane includes methods to secure data within the storage account, such as blobs, queues, tables, and files.
- Access Control Options:
- Azure Active Directory (AAD): Provides secure access to containers and queues, avoiding hard-coded secrets.
- Storage Account Keys: Provide comprehensive access to all data objects, granting high-level permissions.
- Shared Access Signatures (SAS): Allow for granular, time-limited access to specific services (e.g., blobs, queues) with specific permissions (e.g., read, write, delete).
- Public Access: Blobs can be publicly accessible if the container’s access level is set accordingly, which is useful for sharing non-sensitive data.
3. Encryption in Transit
- Ensures that data is securely transmitted when accessing Azure storage.
- HTTPS Encryption:
- Always use HTTPS for REST APIs or accessing data to secure data in transit.
- For SAS, specify that only HTTPS should be used.
- Azure File Shares:
- SMB 1.0 does not support encryption, limiting access to the same region.
- SMB 3.0 supports encryption, enabling secure cross-region access.
- Client-Side Encryption:
- Encrypts data before sending it to Azure, where it remains encrypted in transit and is decrypted only on the client’s side upon retrieval.
4. Encryption at Rest
- Protects data at rest within Azure Storage.
- Client-Side Encryption:
- Data is encrypted by the client before it is sent to Azure and decrypted on the client upon retrieval.
- Storage Service Encryption (SSE):
- Default encryption method in Azure Storage for all data, automatically applied across all performance tiers and deployment models.
- Data is encrypted in storage using Microsoft-managed keys or customer-provided keys.
- Azure Disk Encryption:
- Encrypts both operating system and data disks on IaaS Virtual Machines, suitable for VMs with sensitive data.
- Allows for customer-provided encryption keys and can be enabled on existing VMs.
5. Cross-Origin Resource Sharing (CORS)
- CORS settings define which domains can make requests to access resources from a different origin.
- Configuration:
- Enable CORS in the Azure portal or PowerShell and specify allowed domains.
- For example, if
mystorage.blob.core.windows.netneeds to be accessed frommywebsite.com, configure CORS to allow this domain.
- Authentication:
- CORS only grants access but does not authenticate users. SAS tokens or other authentication mechanisms are still required to access non-public data.
- Default Setting:
- CORS is disabled by default on all services, so manual configuration is required for cross-origin access.