azure:az-500:data_and_application_security

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
azure:az-500:data_and_application_security [2022/07/20 12:55] – [Shared Access Signature (SAS)] mmuzeazure:az-500:data_and_application_security [2022/07/22 00:59] (current) mmuze
Line 4: Line 4:
  
 ===== Configure security for storage ===== ===== Configure security for storage =====
-  * [[:azure_storage|Azure Storage]]+  * [[azure:azure_storage|Azure Storage]]
   * [[azure:az-500:Storage Security]]   * [[azure:az-500:Storage Security]]
   * Configure access control for storage accounts   * Configure access control for storage accounts
Line 29: Line 29:
   * Configure backup and recovery of certificates, secrets, and keys   * Configure backup and recovery of certificates, secrets, and keys
  
-====== Storage Account Access ====== 
-  * [[https://docs.microsoft.com/en-us/azure/storage/common/authorize-data-access|Authorize access to data in Azure Storage]] 
-  * [[https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security]] 
-  * [[https://docs.microsoft.com/en-us/learn/modules/storage-security/4-shared-access-signatures]] 
-  * [[https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview]] 
-  * [[https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory|Azure AD]] is the recommended way to provide authorization for storage account access. 
-  * A [[https://docs.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy|stored access policy]] is an additional level of protection that can be used in conjunction with //service-level shared access signatures (SAS)// authentication. It provides and expiration date and permissions that can be used independent of the SAS token/URL. This provides more flexibility for revoking access. 
- 
-===== Shared Access Signature (SAS) ===== 
-  * The only way to revoke a SAS is to revoke (regenerate) the access key that was used to sign it. This is not ideal because that key could be used in other ways and this would be a disruptive operation. That is where a **stored access policy** can be of use (for service-level SAS only). 
-  * A **user delegation** SAS is secured with Azure Active Directory (Azure AD) credentials and also by the permissions specified for the SAS. A user delegation SAS applies to Blob storage only. 
-  * A **service SAS** is secured with the storage account key. A service SAS delegates access to a resource in only one of the Azure Storage services: Blob storage, Queue storage, Table storage, or Azure Files. A service-level SAS applies to just one service (e.g. blob, Azure Files...). 
-  * An **account SAS** is secured with the storage account key. An account SAS delegates access to resources in one or more of the storage services. All of the operations available via a service or user delegation SAS are also available via an account SAS. Account-level SAS applies to the Storage Account, therefore it could apply to any number of containers in the account. 
  
 ===== Azure Key Vault ===== ===== Azure Key Vault =====
Line 127: Line 114:
 ===== § ===== ===== § =====
   * [[azure:az-500:Azure Monitor]]   * [[azure:az-500:Azure Monitor]]
 +
 +====== HDInsight ======
 +  * To support multiuser access an HDInsight cluster requires AADDS.
  
  • azure/az-500/data_and_application_security.1658321719.txt.gz
  • Last modified: 2022/07/20 12:55
  • by mmuze