Active Directory & Office 365 Reporting Tool

Azure Storage Security: Secure Accounts with Encryption & Access Policies. Do you manage Azure storage accounts and need to learn available Azure security options for protecting them? This article discusses multiple ways to secure your Azure Storage accounts.

We start with an overview of Azure Store Accounts, their security risks, and why they need protection. After that, the article explores multiple ways to protect Azure Storage accounts from malicious actors.

Each method explains how it secures Azure Storage. Additionally, the guide includes a step-by-step for implementing the method.

Overview of Azure Storage Accounts

An Azure Storage account is a cloud hosted service for saving different types of data objects – files, tables, blobs, and queues. Furthermore, since this is hosted in the Microsoft cloud, they’re accessible from anywhere via HTTP or HTTPS protocols, and there lies the challenge.

Accessing Azure Storage accounts over the Internet makes it vulnerable to cyberattacks and potential data breaches. For instance, a storage account may be exposed to ransomware, viruses, or spyware. 

Secondly, data stored in a public cloud is exposed to potential breaches due to unauthorized access. Additionally, Azure storage may be exposed to unintentional deletion and even phishing.

These are just a few security risks associated with storing business data in Azure Storage accounts. Fortunately, Microsoft provides built-in security tools to protect data stored in this all-important public cloud storage. 

In the remaining parts of this article, we explore these security tools and how to implement them.

Security Options for Azure Storage Accounts

Secure Azure Storage Accounts with Access Control (IAM)

The first step to securing the data stored in Azure Storage accounts is using Azure Role-Based Access Control (RBAC). RBAC allows SysAdmins to grant access to pre-defined Azure Active Directory roles

When a role is assigned to a storage account, members of that role automatically receive the permissions pre-defined in that role. For instance, if a user is given the Storage Blob Data Contributor to a storage account, the user gets the read, write and delete permission on the Azure Storage blob containers and data.

Beyond granting permissions to users using Azure RBAC, Azure storage accounts allows Deny Assignments. This stops users from performing specific tasks in storage accounts. 

When we published this article in August 2023, Azure storage account Deny Assignments were only available using Azure Blueprints.

How to Secure Azure Storage Accounts with RBAC Role Assignments

1. Sign in to portal.azure.com and open the Azure Storage account. 
2. After that, click Access Control (IAM) -> + Add: and choose “Add role assignment.”

3. Once the “Add role assignment” page opens, search for the Azure role you want to assign the storage account. For instance, to assign a user the Storage Blob Data Contributor role, search for this role, select it, and click Next. 

4. Choose to assign access to “User, group, or service principal” or “Managed identity.” After choosing the “Assign access to” option, click “+ Select members.”

Finally, select the users you want to grant access using the role and click Select

5. When the wizard returns to the main page, click “Review + assign,” 

Manage Azure Storage Account Access with Shared Access Signature

Beyond granting permissions to Azure Storage using RBAC, this is also be done via Access keys. When a Storage account is created, Azure generates two 512-bit access keys for the account.

Azure Storage account access keys grant access to applications. But, if you do not want to share access keys with third parties, a shared access signature (SAS) is used.

A SAS is a URI that gives restricted permissions to Azure Storage resources. Moreover, this allows granular access configuration.

For instance, when configuring a shared access signature, there is the option to define allowed storage services, such as Blob, File, Queue, or Table. Additionally, access to Service, Container, or Object is configured. 

Additionally, Azure Storage account SAS also allows granular permission configuration. For instance, Read, Write, Delete, etc, can be configured.

It also has the option to set the date range the storage access key is available, which aligns with the principle of Just-in-time access

How to Secure Azure Storage Account with Shared Access Signature

1. Open the Azure Storage account and select Shared access signature from the “Security + networking menu.”

2. Once the Shared access signature page opens, configure the sections, scroll to the bottom, and click “Genera SAS and connecting string.”

Note that the checkboxes under “Allowed resource types” are unchecked by default. So, you must check at least one option to create the SAS. 

When you click “Genera SAS and connecting string,” Azure generates a Connection string and SAS token. Additionally, it also creates SAS URLs for all the services you selected. 

Try our Active Directory & Office 365 Reporting & Auditing Tools

Try us out for Free.  100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.

Secure Azure Storage Accounts with Encryption

Data saved in Azure Storage accounts are encrypted and decrypted using 256-bit AES encryption automatically. This is known as Service-level encryption, it cannot be disabled.

Equally important, the service-level default encryption uses the Microsoft-managed keys. However, the key encryption type can be changed to a customer-managed key.

In addition to the Service-level encryption, Microsoft offers the option to add a second-level encrypted, known as Infrastructure encryption. This option is for customers that require a second layer of data encryption. 

Enabling the infrastructure encryption means protecting data stored in Azure Storage accounts with two keys – service-level (default encryption key) and infrastructure-level key. Both encryptions support Microsoft-managed keys or customer-managed keys.

To double-encrypt data in Azure Storage accounts, create an encryption scope of either Microsoft-managed or customer-managed keys. 

Microsoft-managed keys are stored on Azure Key Vault. However, when a customer-managed key is created, it is stored in the Azure Key Vault or Key Vault Managed Hardware Security Model (HSM).

Follow these steps to create a Microsoft-managed infrastructure-level encryption key.

1. Open the storage account, click Encryption, on the “Security + networking” menu, then choose the “Encryption scopes” tab. 

2. After that, click “+ add”. Then, on the “Create encryption scope” flyout, give the Encryption scope a name, select Enabled, and click Create

Securing Azure Storage Accounts with Networking

Azure Storage accounts are accessed over the internet (public network access) by default. The default public network is enabled on all networks. 

However, access is limited to selected virtual networks and IP addresses. Alternatively, access to public networks (internet) can be disabled.

When internet access to a storage account is disabled, a private endpoint connection must be created to access the storage account. 

Let’s discuss the options available when access to storage accounts are limited to specific virtual networks and IP addresses.

Firstly, selecting this option enables adding the storage account to a virtual network. By implication, adding a storage account to a vNet means that the storage account is secured with Azure Network Security Group (NSG) or Azure Firewall.

Beyond that, when you enable access to specific vNet or IP addresses, you grant access to a storage account based on system assigned managed identity to resource instances. 

Finally, it enables configuring whether to route traffic via Microsoft network or the internet. 

Earlier, I hinted that access to an Azure Storage account could be via a private endpoint. This is essential if public (internet) access to the account is disabled. 

Creating a private endpoint allows a private (non-internet) connection to the storage account. 

In the following two subsections, we discuss the steps to improve the security of an Azure Storage account by allowing access to specific vNet or IPs, or enabling private endpoints. 

Configure Public Network Access to Azure Storage Account

1. Click Networking under the “Security + networking” menu. As shown in the screenshot below, the default “Public network access” allows access to all networks. 

This means that anyone on the internet accesses the storage account. 

As I mentioned earlier, the default public access to an Azure Storage account routes traffic via the Microsoft network (default) or the Internet. By choosing Microsoft network routing, traffic to the storage account is routed closer to the client requesting access. 

On the contrary, selecting Internet routing directs traffic closer to the Azure storage endpoint. 

2. To enable access to selected vNets and /or IP addresses, select “Enabled from selected virtual networks and IP addresses.”

3. After that, configure the options and click the Save button on the top left of the screen. 

4. Finally, disable public to a storage account. Once you do that, you must create a private endpoint to access the storage account. 

How to Create Private Endpoint Connection to an Azure Storage Account

Creating a private endpoint to a storage account requires a virtual network (vNet). Therefore, before proceeding with these steps, ensure you have an existing vNet. 

1. Open the Azure Storage account, and click Networking -> Private endpoint connection. Next, on the Private endpoint connection tab, click “+ Private endpoint.”

2. Once the “Create a private endpoint” wizard opens, choose a subscription and resource group. Additionally, give the endpoint a name, pick an Azure region, and click “Next: Resources.”

3. On the Resources tab, click the “Target sub-resource” drop-down and select the type of Azure Storage account you want to access using the endpoint. After that, click “Next: Virtual Network >.”

4. When the Virtual Network tab opens, select a vNet and the subnet. Optionally, enable Network security groups by clicking Edit beside Disabled. 

Also configure IP to be assigned manually instead of dynamically. When you finish, click “Next: DNS >.”

5. On the DNS tab, Microsoft recommends integrating with a Private DNS integration – accept this default.

Otherwise, select No and use your own DNS servers. Once done, click Netx twice to load “Review + create.”

After that, Azure reviews your selections, and if all pass the validation, click Create to deploy the private endpoint. 

Note the Private DNS zone name, as you require it to access the storage account. 

Secure Azure Storage Accounts with Data Management

The Azure Storage account Data management menu offers 2 methods to protect data. Firstly, use the Redundancy configuration to distribute your data across Azure data centres or regions to secure it against inevitable failures. 

However, the redundancy options available in your storage account depend on whether you created a Standard or Premium storage account. A Standard storage account supports the following levels of redundancies:

Locally-redundant storage (LRS): this redundancy protects data against server rack and drive failures. Not recommended for critical data as it does not protect data against data center failures. 

Geo-redundant storage (GRS): this provides failover to a secondary region. GRS offers the additional option to make data available as read-only in the event of regional unavailability. 

Zone-redundant storage (ZRS): ZRS protects data against data center failures and is used for high availability scenarios. 

Geo-zone-redundant storage (GZRS): this combines the protection provided by GRS and ZRS. 

On the other hand, a Premium Azure Storage account offers the ability to choose the premium storage account type – page or block blob, or file share. Additionally, the premium Azure storage account supports LRS and ZRS. 

Beyond data redundancy, Azure storage accounts support Azure Backup for blobs and point-in-time restore for containers. 

To configure data redundancy for a storage account, click Redundancy in “Data management.” After that, click the Redundancy drop-down, choose an option, and click Save. 

Like the redundancy settings, the recovery settings are also on the Data management menu under Data protection. 

Avoid Accidental Deletion of Azure Storage Accounts with Locks

Azure resources, including Storage accounts, allow the creation of Locks to prevent writes or accidental deletes. Locks can be created at the Resource group or subscription level. 

Azure Locks enforced at the subscription level apply to resource groups and resources in the subscription. For example, applying a read-only Lock at the subscription level stops adding resource groups to the subscription. 

Additionally, this stops creating resources in any resource group in the subscription. 

The screenshot below shows an error message when I tried creating a storage account in a resource group under the Pay-As-You-Go subscription. The error message was triggered because the subscription has a Read-only Lock. 

Creating a Lock on an Azure Storage Account improves its security by stopping accidental writes or deletions.

To create a delete Lock, open the storage account and click Locks in the Settings menu. After that, click “+ add.”

On the “Add lock” pop-up, enter a name for the lock, select the type of lock – Read-only or delete – then, click OK. 

To explore how this works, from the Overview menu, click Delete. As shown in the highlighted portion of the screenshot, attempting to delete the storage account displays an error message. 

Azure Storage Security: Secure Storage Accounts with Encryption & Access Policies Conclusion

Securing Azure Storage accounts protects them against known cyber attack vulnerabilities. This article highlighted some security risks of storing data in Azure Storage accounts.

We also explained various tools provided by Azure to mitigate these risks. Specifically, the article explained how to improve the security of Azure Storage accounts using Role based access control (RBAC).

Additionally, we discussed how to use Shared Access Signature and Encryption to protect Azure Storage accounts. 

Beyond that, the article explored the networking tools Azure provides to further protect storage accounts. Finally, we discussed data management tools and Locks. 

We hope you found the Azure Storage account security tools discussed in this article helpful. 


Try InfraSOS for FREE

Try InfraSOS Active Directory, Azure AD & Office 365 Reporting & Auditing Tool

Victor Ashiedu

Victor Ashiedu

Victor is an IT pro based in Manchester, UK. With over 22 years of experience managing Windows Server, Active Directory, and Powershell, and 7 years of expertise in Azure AD and Office 365, he's a seasoned expert in his field. When he's not working, he loves spending time with his family - a wife and a 5-year-old. Victor is passionate about helping businesses succeed in today's fast-changing tech landscape.

Leave a comment

Your email address will not be published. Required fields are marked *