Articles tagged: Azure

Securing an Azure Storage Account

A secure Azure Storage Account setup involves applying best practices for access control, networking, encryption, and monitoring. Below is a comprehensive checklist.

🔑 1. Identity & Access Management

  • Use Azure RBAC (Role-Based Access Control):
    • Assign the least privileged roles to users, groups, and services.
    • Prefer Storage Blob Data Reader/Contributor over general Storage Account Contributor.
  • Use Azure AD for Authentication:
    • Enable Azure AD authentication for Blob and Queue services.
    • Avoid using account keys where possible.
  • Disable Shared Key Access:
    • If possible, disable Shared Key Authorization under the Configuration tab.
  • Use Shared Access Signatures (SAS) cautiously:
    • Prefer user delegation SAS over account SAS.
    • Limit expiry, permissions, and IP address range.

🌐 2. Networking

  • Restrict access with firewalls and VNets:
    • Enable the firewall and configure trusted IP ranges or VNets.
  • Disable public access:
    • Set AllowBlobPublicAccess = false at the storage account level.
  • Use Private Endpoints:
    • Create Azure Private Endpoints to eliminate exposure to the public internet.

🔐 3. Encryption

  • Data-at-Rest Encryption:
    • Enabled by default with Microsoft-managed keys.
    • Optionally use Customer-managed keys (CMK) in Azure Key Vault.
  • Data-in-Transit Encryption:
    • Enforce HTTPS-only traffic (Secure transfer required setting).

📊 4. Monitoring & Alerts

  • Enable Azure Monitor & Storage Diagnostics:
    • Configure Azure Monitor Logs and metrics.
    • Enable Storage Analytics Logging for Blob, Queue, Table.
  • Log all access with Azure Activity Logs:
    • Monitor operations like key changes, firewall updates, etc.
  • Enable Defender for Storage:
    • Detect threats like data exfiltration, malware uploads, unusual access patterns.

🛡️ 5. Data Protection & Recovery

  • Enable Soft Delete:
    • Protect against accidental deletions (Blob, File, Container).
  • Enable Point-in-Time Restore (Blob Storage):
    • Recover from corruption or accidental deletion.
  • Replication Options:
    • Choose Geo-Redundant Storage (GRS) or Zone-Redundant Storage (ZRS) for durability.

✅ 6. Regular Reviews & Compliance

  • Rotate keys and secrets regularly.
  • Use Azure Policy to enforce compliance (e.g., disallow public access).
  • Audit access control assignments and review logs routinely.

Azure Key Vault - Best Practices

Azure Key Vault is essential for secure management of secrets, keys, and certificates. Below are key security-focused best practices to design a robust, compliant, and resilient implementation.

1. Use Separate Vaults per Environment

  • Create dedicated vaults for Development, Testing, and Production.
  • Apply environment-specific access controls.
  • Reduce the blast radius and avoid accidental sharing or overwriting across environments.

2. Set Expiration & Automate Rotation

  • Configure expiration dates for all secrets, keys, and certificates.
  • Automate rotation with Azure Logic Apps or Azure Functions.
  • Use Key Vault references in Azure App Services to consume updated secrets without redeploying code.

3. Enable Logging & Monitoring

  • Send activity logs to Azure Monitor, Log Analytics, or Storage Accounts.
  • Track who accessed what, when, and from where.
  • Integrate with Azure Sentinel to enable threat detection and automated alerting.

4. Restrict Network Access

  • Use Private Endpoints to limit access to resources within your Virtual Network.
  • Configure IP firewall rules to allow only trusted sources.
  • Enable only necessary Microsoft trusted services access.

5. Use Azure RBAC Instead of Access Policies

  • Prefer Azure RBAC for fine-grained, manageable access control.
  • Assign roles like Key Vault Secrets User with least privilege.
  • Avoid using the built-in Contributor role, as it grants excessive permissions.
  • Create a custom role that excludes sensitive actions (e.g., vault deletion).

6. Enable Soft Delete & Purge Protection

  • Protect secrets, keys, and certificates from accidental or malicious deletion.
  • Enable Soft Delete and Purge Protection to ensure recovery is always possible.

7. Lock the Key Vault Resource

  • Apply resource locks (e.g., “CanNotDelete”) to prevent accidental or unauthorized deletion of the vault itself.
  • Especially important in Production environments.