Securing App Data: Role-Based Access Control and Immutable Storage for Testing Environments

How to create a storage account and Managed identity

• In the market place search for storage account and select create
• In the project details, select the resource group you just created
• Under the instance details, supply the name for your storage account.
• Click review
• Once validation is passed, click create
• Wait for it to deploy

How to give the web application a managed identity to utilize.

• In the market place, search and create managed identity
• Give name to the managed identity and click review + create

• Click create
• Wait for it to deploy

How to provide the managed identity the appropriate permissions.

• Go back to the storage account created earlier and select Access Control(IAM)
• Click Add role assignment
• Search for Storage Blob Data Reader under Job functions roles and click on it
• Click members and select managed identity
• Click +Select members and click on managed identity to select user-assigned managed identity
• Select the managed identity created earlier
• Click select
• Then click Review + assign
• Click Review + assign the second time to add role assignment A managed identity with the Storage Data Blob Reader rights can now access your storage account.

How to Use a key vault and key to provide secure access to the storage account

• Go to the resource group where your storage account is, select Access Control (IAM).
• Click Add role assignment
• Search for Key vault administrator under Job functions role and select it
• Tick User, group, or service principal under Members page
• Click + Select members and choose your user account
• Click select
• Click Review + assign
• Click Review + assign the second time to add the role assignment

How to create a key vault to keep the access keys

• Search for key vaults in market place and click create
• Select your resource group, give name to your key vault, leave others as default and select Review + create
• Click create after validating
• Wait for it to deploy
• Click Go to resource after deployment is complete
• Ensure that both soft delete and purge protection are enabled in the overview page. By default, soft delete is enabled and purge protection is disabled. -To enable purge protection click on disabled in front of it
• Click save
• Click Keys in the Objects section and select +Generate/import
• Give name to the key, leave other settings as default and select create

How to set up the storage account in the key vault to use the customer-managed key.

First assign to the Managed identity, Key Vault Crypto Service Encryption User role.

• Go to the resource group and click Access Control (IAM)
• Click Add role assignment
• Search and select Key Vault Crypto Service Encryption User under Job function roles
• Under Member page tick managed identity and select +select member
• Select User-assigned managed identity in the Managed identity drop-down
• Click your Managed identity and click select
• Click Review + assign
• Click Review + assign the second time to add role

How to set your key vault's customer managed key to be used for the storage account.

• Go back to your storage account
• Click Encryption under Security + networking and tick Customer-managed keys
• Click Select a key vault and key
• Input your key vault and key
• Click Select
• Change Identity type to User-assigned and click Select an identity
• Click your managed identity and click Add
• Click save

How to set up encryption scope and a time-based retention policy.

First create a blob immutable storage

• Go to your storage account
• Select containers in the Data storage section
• Create a container by clicking +container
• Give the container name and click create
• Upload a file into the container by clicking on the created container Click upload
• Browse for a file and click upload
• Click on Access policy in the settings section, click + Add policy in the immutable blob storage section
• Change policy type to time-based retention, choose a retention period and click save To check, we need to delete our uploaded file and it will display failed to delete blobs due to policy

How to configure Infrastructure Encryption

• Go back to the storage account and select Encryption in the Security + networking section, click Add in the Encryption scopes tab
• Choose a name for encryption scope, change Encryption type to Microsoft-managed key, enable Infrastructure encryption and click create
• Now go back to your storage account to create a new container, In the New container pane, in advanced section, you will be able to select the Encryption scope created earlier and apply it to the container and the blob in it