• https://docs.microsoft.com/en-us/azure/storage/common/storage-introduction
• data is always encrypted at rest — can use Microsoft Managed Keys or Customer Managed Keys

• storage accounts provide the logical container/namespace for storage services like, blob containers, file shares, queues and tables.

• General-purpose v2 accounts - Basic storage account type for blobs, files, queues, and tables. Recommended for most scenarios using Azure Storage.
• General-purpose v1 accounts - Legacy account type for blobs, files, queues, and tables. Use general-purpose v2 accounts instead when possible.
• Block Blob Storage (premium) accounts - Premium storage account type for block blobs and append blobs. Recommended for scenarios with high transaction rates or that use smaller objects or require consistently low storage latency.
• File Storage accounts
• Blob Storage accounts - Legacy Blob-only storage accounts. Use general-purpose v2 accounts instead when possible.

• https://docs.microsoft.com/en-us/azure/storage/common/authorize-data-access#understand-authorization-for-data-operations

• Azure Active Directory (Azure AD) integration/RBAC
  • This is the generally recommend method to use
  • You can grant permissions that are scoped to the level of an individual container or queue.
• Shared Key for blobs, files, queues, and tables. A client using Shared Key passes a header with every request that is signed using the storage account access key.
  • It is recommended to disable and not use this option.
  • MS recommends using Azure AD/RBAC instead of this option
  • If shared keys are used it is recommended to use Azure Key vault and to rotate keys periodically.
• Shared Access Signature (SAS)

• SAS is a string that contains a security token that can be attached to a URI that gives access to storage objects
• https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview

• The only way to revoke a SAS (that was signed by a key) is to revoke (regenerate) the access key that was used to sign it. This is not ideal because that key could be used in other ways and this would be a disruptive operation. That is where a stored access policy can be of use (for service-level SAS only).
• There are tree types of SAS, user delegated, service SAS and account SAS.
• A user delegation SAS is secured with Azure Active Directory (Azure AD) credentials and also by the permissions specified for the SAS. A user delegation SAS applies to Blob storage only.
• A service SAS is secured with the storage account key. A service SAS delegates access to a resource in only one of the Azure Storage services: Blob storage, Queue storage, Table storage, or Azure Files. A service-level SAS applies to just one service (e.g. blob, Azure Files…).
• An account SAS is secured with the storage account key. An account SAS delegates access to resources in one or more of the storage services. All of the operations available via a service or user delegation SAS are also available via an account SAS. Account-level SAS applies to the Storage Account, therefore it could apply to any number of containers/Azure Storage Services in the account.

• A SAS can take one of two forms. Ad hoc SAS where the expiry and permissions are part of the SAS URI and Service SAS with stored access policy where the SAS references the policy that defines the expiry and permissions.
  • A user delegated SAS and account SAS must be an ad hoc SAS

A stored access policy provides an additional level of control over service-level shared access signatures (SAS) on the server side.

• A stored access policy is an additional level of protection that can be used in conjunction with service-level shared access signatures (SAS) authentication. It provides an expiration date and permissions that can be used independent of the SAS token/URL. This provides more flexibility for revoking access.
• https://docs.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy

To revoke a stored access policy, you can delete it, rename it by changing the signed identifier, or change the expiry time to a value in the past. Changing the signed identifier breaks the associations between any existing signatures and the stored access policy. Changing the expiry time to a value in the past causes any associated signatures to expire. Deleting or modifying the stored access policy immediately affects all of the shared access signatures associated with it.

• All data (including metadata) written to Azure Storage is automatically encrypted using Storage Service Encryption (SSE).
• You can rely on Microsoft-managed keys for the encryption of your storage account, or you can manage encryption with your own keys.

A massively scalable object store for text and binary data. Also includes support for big data analytics through Data Lake Storage Gen2.

• https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction

• block blobs
  • used for text and binary files
  • optimized for uploading large amounts of data efficiently
  • block blobs can store up to about 190.7 TiB
• append blobs
  • optimized for append operations. log files is a common use case
• page blobs
  • support random read/write operations for things like VHD disk images for VMs
  • store random access files up to 8 TiB in size

• https://docs.microsoft.com/en-us/azure/storage/blobs/access-tiers-overview

• A blob-only feature is the ability to specify an encryption scope
• An encryption scope can be applied to a container or blob itself
• If an encryption scope is set at the container level then one cannot be set at the blob level.
• MMK: Microsoft Managed Keys
• CMK: Customer Managed Keys

Azure Files provides managed file shares that are accessible via SMB or NFS.

A messaging store for reliable messaging between application components.

A NoSQL store for schemaless storage of structured data.

Block-level storage volumes for Azure VMs.

• https://learn.microsoft.com/en-us/azure/virtual-machines/disk-encryption-overview

• DE is support for standard tier VMs

• For Linux scale sets only encryptions is supported on the data volume, but not the OS volume
• Encryption is not supported for customer Linux images—only the Gallery images are supported.