azure:az-500:storage_security

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
azure:az-500:storage_security [2022/06/21 20:27] – [Shared Access Storage (SAS)] mmuzeazure:az-500:storage_security [2022/07/20 19:08] (current) – [Shared Access Signature(SAS)] mmuze
Line 6: Line 6:
 ===== Azure Storage Access ===== ===== Azure Storage Access =====
    * Azure AD/RBAC authorization is preferred over all other authorization storage options for Azure Storage.    * Azure AD/RBAC authorization is preferred over all other authorization storage options for Azure Storage.
 +
 +  * [[https://docs.microsoft.com/en-us/azure/storage/common/authorize-data-access|Authorize access to data in Azure Storage]]
 +  * [[https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security]]
 +  * [[https://docs.microsoft.com/en-us/learn/modules/storage-security/4-shared-access-signatures]]
 +  * [[https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview]]
 +  * [[https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory|Azure AD]] is the recommended way to provide authorization for storage account access.
 +
 ==== Types of Authorization ==== ==== Types of Authorization ====
   * [[https://docs.microsoft.com/en-us/azure/storage/common/authorize-data-access#understand-authorization-for-data-operations]]   * [[https://docs.microsoft.com/en-us/azure/storage/common/authorize-data-access#understand-authorization-for-data-operations]]
Line 20: Line 27:
 ===== Shared Access Signature(SAS) ===== ===== Shared Access Signature(SAS) =====
   * SAS is a string that contains a security token that can be attached to a URI that gives access to storage objects   * SAS is a string that contains a security token that can be attached to a URI that gives access to storage objects
 +  * [[https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview]]
  
-==== Types ==== +  The only way to revoke a SAS (that was signed by a key) is to revoke (regenerate) the access key that was used to sign it. This is not ideal because that key could be used in other ways and this would be a disruptive operation. That is where a **stored access policy** can be of use (for service-level SAS only). 
-  * **service-level**gives access at the storage account level +  There are tree types of SASuser delegated, service SAS and account SAS. 
-  * **account level ** +  * A **user delegation** SAS is secured with Azure Active Directory (Azure AD) credentials and also by the permissions specified for the SAS. A user delegation SAS applies to Blob storage only. 
-  * **user delegation SAS**+  * **service SAS** is secured with the storage account key. A service SAS delegates access to a resource in only one of the Azure Storage services: Blob storage, Queue storage, Table storage, or Azure Files. A service-level SAS applies to just one service (e.g. blob, Azure Files...). 
 +  * An **account SAS** is secured with the storage account key. An account SAS delegates access to resources in one or more of the storage services. All of the operations available via a service or user delegation SAS are also available via an account SAS. Account-level SAS applies to the Storage Account, therefore it could apply to any number of containers/Azure Storage Services in the account.
  
-==== Stored Access Policy ==== +  * **SAS** can take one of two forms. **Ad hoc SAS** where the expiry and permissions are part of the SAS URI and Service **SAS** with **stored access policy** where the SAS references the policy that defines the expiry and permissions. 
-A stored access policy provides an additional level of control over service-level shared access signatures (SAS) on the server side.+    * A user delegated SAS and account SAS must be an ad hoc SAS
  
 ===== Stored Access Policy ===== ===== Stored Access Policy =====
 +> A stored access policy provides an additional level of control over service-level shared access signatures (SAS) on the server side.
 +  * A [[https://docs.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy|stored access policy]] is an additional level of protection that can be used in conjunction with //service-level shared access signatures (SAS)// authentication. It provides and expiration date and permissions that can be used independent of the SAS token/URL. This provides more flexibility for revoking access.
 +  * [[https://docs.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy]]
  
 ====== Storage Service Encryption ====== ====== Storage Service Encryption ======
  • azure/az-500/storage_security.1655843240.txt.gz
  • Last modified: 2022/06/21 20:27
  • by mmuze