In this lab, we will explore storage security configurations.
Task 1: Generate SAS tokens
Note: This demonstration requires a storage account, with a blob container, and an uploaded file. For the best
results upload a PNG or JPEG file.
In this task, we will generate and test a Shared Access Signature.
- Open the Azure portal.
- Navigate to your Storage Account.
- Under Settings select Access keys.
- Explain how Storage Account access keys can be used. Review regenerating keys.
- Under Settings select Shared access signature.
- Explain how an account level SAS can be used. Review the configuration settings including Allowed services, Allowed resource type, Allowed permissions, and Start and expiry date/times.
- Back at the Storage Account page, under Blob service select Containers.
- Right-click the blob file that you want to share and select Generate SAS.
- Click Generate SAS token and URL.
- Copy the Blob SAS URL. There is a clipboard icon on the far right of the text box.
- Copy the URL into a browser and your file should display.
Task 2: Key Rollover
Note: Always use the latest version of Azure Storage Explorer.
In this task, we will use Storage Explorer to test key rollover.
- Download and install Azure Storage Explorer - https://azure.microsoft.com/en-us/features/storageexplorer/
- After the installation, launch the tool.
- Review the Release Notes and menu options.
- If this is the first time using the tool, you will need to Reenter your credentials.
- After you have been authenticated you can select the subscriptions of interest. Explain Storage Explorer can also be used for Local and attached accounts.
- Right click Storage Accounts and select Connect to Azure storage. Discuss the various connection options.
- Select Use a storage account name and key.
- In the portal select your storage account.
- Under Settings select Access Keys. Retrieve the Storage account name and key1 key.
- In Storage Explorer, provide the account and key information then click Connect.
- Verify that you can browser your storage account content.
- In the portal and your storage account.
- Under Settings select Access Keys.
- Next to key1 click the Regenerate icon.
- Acknowledge the message that the current key will become immediately invalid and is not recoverable.
- In Storage Explorer refresh the storage account.
- You should receive an error that the server failed to authenticate the request.
- Reconnect so you can continue with the demonstration.
Task 3: Storage Access Policies
In this task, we will create a blob storage access policy.
- In the Portal, navigate to your Blob container.
- Under Settings, select Access Policy.
- Review the two policies: Storage access policies and Blob immutable storage.
- Under Stored access polices click Add policy.
- Create a policy with Read and List permissions and usable for a restricted period of time.
- Under Blob immutable storage click Add policy.
- Review the two policy types: Time-based retention and Legal hold.
- Create a policy based on the time-based retention.
- Be sure to Save your changes.
- In Storage Explorer, right-click your container and select Get shared access signature.
- Notice the Access Policy drop-down lets you create a the SAS based on a pre-defined configuration.
- As you have time, show how Storage Explorer can be used to perform security tasks.
Task 4: Azure AD User Account Authentication
In this task, we will configure Azure AD user account authentication for storage.
- In the portal, navigate to and select your blob container.
- Notice at the top the authentication method. There are two choices: Access key and Azure AD User Account. Explain the differences between the two methods.
- Switch to Azure AD User Account.
- You should receive an error stating you do not have access permissions.
- Click Access Control (IAM).
- Select Add role assignment.
- Select the Storage Blob Data Owner role. Discuss the other storage roles that are shown.
- Assign the role to your account and Save your changes.
- Return to the Overview blade.
- Switch to Azure AD User Account.
- Notice that you are now able to view the container.
- Take a minute to select Change access level and review the Public access level choices.
Task 5: Storage Endpoints
Note: This task requires a storage account and virtual network with subnet. Storage Explorer is also required.
In this task, we will secure a storage endpoint.
- In the Portal.
- Locate your storage account.
- Create a file share, and upload a file.
- Use the Shared Access Signature blade to Generate SAS and connection string.
- Use Storage Explorer and the connection string to access the file share.
- Ensure you can view your uploaded file.
- Locate your virtual network, and then select a subnet in the virtual network.
- Under Service Endpoints, view the Services drop-down and the different services that can be secured with an endpoint.
- Check the Microsoft.Storage option.
- Save your changes.
- Return to your storage account.
- Select Firewalls and virtual networks.
- Change to Selected networks.
- Add your virtual network and verify your subnet with the new service endpoint is listed.
- Save your changes.
- Return to the Storage Explorer.
- Refresh the storage account.
- Verify you can no longer access the file share.
Top comments (0)