Differences

This shows you the differences between two versions of the page.

--- azure:az-500:storage_security [2022/07/20 12:36] – [Stored Access Policy] mmuze
+++ azure:az-500:storage_security [2022/07/20 19:08] (current) – [Shared Access Signature(SAS)] mmuze
@@ Line 6: / Line 6: @@
 ===== Azure Storage Access =====
    * Azure AD/RBAC authorization is preferred over all other authorization storage options for Azure Storage.
+  * [[https://docs.microsoft.com/en-us/azure/storage/common/authorize-data-access|Authorize access to data in Azure Storage]]
+  * [[https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security]]
+  * [[https://docs.microsoft.com/en-us/learn/modules/storage-security/4-shared-access-signatures]]
+  * [[https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview]]
+  * [[https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory|Azure AD]] is the recommended way to provide authorization for storage account access.
 ==== Types of Authorization ====
   * [[https://docs.microsoft.com/en-us/azure/storage/common/authorize-data-access#understand-authorization-for-data-operations]]
@@ Line 20: / Line 27: @@
 ===== Shared Access Signature(SAS) =====
   * SAS is a string that contains a security token that can be attached to a URI that gives access to storage objects
+  * [[https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview]]
+  * The only way to revoke a SAS (that was signed by a key) is to revoke (regenerate) the access key that was used to sign it. This is not ideal because that key could be used in other ways and this would be a disruptive operation. That is where a **stored access policy** can be of use (for service-level SAS only).
+  * There are tree types of SAS, user delegated, service SAS and account SAS.
+  * A **user delegation** SAS is secured with Azure Active Directory (Azure AD) credentials and also by the permissions specified for the SAS. A user delegation SAS applies to Blob storage only.
+  * A **service SAS** is secured with the storage account key. A service SAS delegates access to a resource in only one of the Azure Storage services: Blob storage, Queue storage, Table storage, or Azure Files. A service-level SAS applies to just one service (e.g. blob, Azure Files...).
+  * An **account SAS** is secured with the storage account key. An account SAS delegates access to resources in one or more of the storage services. All of the operations available via a service or user delegation SAS are also available via an account SAS. Account-level SAS applies to the Storage Account, therefore it could apply to any number of containers/Azure Storage Services in the account.
-==== Types ====
+  * A **SAS** can take one of two forms. **Ad hoc SAS** where the expiry and permissions are part of the SAS URI and Service **SAS** with **stored access policy** where the SAS references the policy that defines the expiry and permissions.
-  * **service-level**, gives access at the storage account level
+    * A user delegated SAS and account SAS must be an ad hoc SAS
-  * **account level **
-  * **user delegation SAS**
 ===== Stored Access Policy =====
 > A stored access policy provides an additional level of control over service-level shared access signatures (SAS) on the server side.
+  * A [[https://docs.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy|stored access policy]] is an additional level of protection that can be used in conjunction with //service-level shared access signatures (SAS)// authentication. It provides and expiration date and permissions that can be used independent of the SAS token/URL. This provides more flexibility for revoking access.
   * [[https://docs.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy]]