Differences

This shows you the differences between two versions of the page.

--- azure:az-500:alt:azure_storage [2022/07/25 20:40] – [Types of Authorization] mmuze
+++ azure:az-500:alt:azure_storage [2023/02/07 14:42] (current) – mmuze
@@ Line 1: / Line 1: @@
 ====== Azure Storage ======
   * [[https://docs.microsoft.com/en-us/azure/storage/common/storage-introduction]]
+  * data is always encrypted at rest — can use Microsoft Managed Keys or Customer Managed Keys
 ====== Azure Storage Accounts ======
@@ Line 40: / Line 41: @@
 ===== Stored Access Policy =====
 > A stored access policy provides an additional level of control over service-level shared access signatures (SAS) on the server side.
-  * A [[https://docs.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy|stored access policy]] is an additional level of protection that can be used in conjunction with //service-level shared access signatures (SAS)// authentication. It provides and expiration date and permissions that can be used independent of the SAS token/URL. This provides more flexibility for revoking access.
+  * A [[https://docs.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy|stored access policy]] is an additional level of protection that can be used in conjunction with //service-level shared access signatures (SAS)// authentication. It provides an expiration date and permissions that can be used independent of the SAS token/URL. This provides more flexibility for revoking access.
   * [[https://docs.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy]]
+> To revoke a stored access policy, you can delete it, rename it by changing the signed identifier, or change the expiry time to a value in the past. Changing the signed identifier breaks the associations between any existing signatures and the stored access policy. Changing the expiry time to a value in the past causes any associated signatures to expire. Deleting or modifying the stored access policy immediately affects all of the shared access signatures associated with it.
 ====== Storage Service Encryption ======
   * All data (including metadata) written to Azure Storage is automatically encrypted using Storage Service Encryption (SSE).
@@ Line 65: / Line 68: @@
 ===== Access Tiers for Blob Storage =====
   * [[https://docs.microsoft.com/en-us/azure/storage/blobs/access-tiers-overview]]
+===== Encryption =====
+  * A blob-only feature is the ability to specify an encryption scope
+  * An encryption scope can be applied to a container or blob itself
+  * If an encryption scope is set at the container level then one cannot be set at the blob level.
+  * **MMK:** Microsoft Managed Keys
+  * **CMK:** Customer Managed Keys
 ====== Azure Files ======
@@ Line 77: / Line 87: @@
 ====== Azure Disks ======
 > Block-level storage volumes for Azure VMs.
+===== Azure Disk Encryption =====
+  * [[https://learn.microsoft.com/en-us/azure/virtual-machines/disk-encryption-overview]]
+===== Windows =====
+  * DE is support for standard tier VMs
+===== Linux =====
+  * For Linux scale sets only encryptions is supported on the data volume, but **not** the OS volume
+  * Encryption is **not** supported for customer Linux images—only the Gallery images are supported.