🔒 Securing an Azure Storage Account

A secure Azure Storage Account setup involves applying best practices for access control, networking, encryption, and monitoring. Below is a comprehensive checklist.

🔑 1. Identity & Access Management

  • Use Azure RBAC (Role-Based Access Control):

    • Assign the least privileged roles to users, groups, and services.
    • Prefer Storage Blob Data Reader/Contributor over general Storage Account Contributor.

  • Use Azure AD for Authentication:

    • Enable Azure AD authentication for Blob and Queue services.
    • Avoid using account keys where possible.

  • Disable Shared Key Access:

    • If possible, disable Shared Key Authorization under the Configuration tab.

  • Use Shared Access Signatures (SAS) cautiously:

    • Prefer user delegation SAS over account SAS.
    • Limit expiry, permissions, and IP address range.

🌐 2. Networking

  • Restrict access with firewalls and VNets:

    • Enable the firewall and configure trusted IP ranges or VNets.

  • Disable public access:

    • Set AllowBlobPublicAccess = false at the storage account level.

  • Use Private Endpoints:

    • Create Azure Private Endpoints to eliminate exposure to the public internet.

🔐 3. Encryption

  • Data-at-Rest Encryption:

    • Enabled by default with Microsoft-managed keys.
    • Optionally use Customer-managed keys (CMK) in Azure Key Vault.

  • Data-in-Transit Encryption:

    • Enforce HTTPS-only traffic (Secure transfer required setting).

📊 4. Monitoring & Alerts

  • Enable Azure Monitor & Storage Diagnostics:

    • Configure Azure Monitor Logs and metrics.
    • Enable Storage Analytics Logging for Blob, Queue, Table.

  • Log all access with Azure Activity Logs:

    • Monitor operations like key changes, firewall updates, etc.

  • Enable Defender for Storage:

    • Detect threats like data exfiltration, malware uploads, unusual access patterns.

🛡️ 5. Data Protection & Recovery

  • Enable Soft Delete:

    • Protect against accidental deletions (Blob, File, Container).

  • Enable Point-in-Time Restore (Blob Storage):

    • Recover from corruption or accidental deletion.

  • Replication Options:

    • Choose Geo-Redundant Storage (GRS) or Zone-Redundant Storage (ZRS) for durability.

✅ 6. Regular Reviews & Compliance

  • Rotate keys and secrets regularly.
  • Use Azure Policy to enforce compliance (e.g., disallow public access).
  • Audit access control assignments and review logs routinely.