Securing Storage Accounts

Primary service:

• Azure Storage

This lesson explains how to secure Azure Storage Accounts at multiple layers:

• Encryption (data at rest & in transit)
• Authentication (who can access)
• Authorization (what they can do)
• Key management & SAS governance

Official documentation:

1️⃣ Security Goals for Storage Accounts#

Regardless of the service used (Blobs, Files, Queues, Tables), the objectives are:

✔ Protect data at rest ✔ Protect data in transit ✔ Control access (least privilege) ✔ Enable key rotation ✔ Support compliance & governance

2️⃣ Encryption in Azure Storage#

🔹 A. Encryption at Rest (Default)#

Azure Storage automatically uses:

Storage Service Encryption (SSE)#

• 256-bit AES encryption
• Enabled by default
• No extra configuration required

Docs:

🔹 B. Microsoft-Managed Keys (MMK)#

• Default option.

Azure:

• Generates
• Rotates
• Manages
• Protects keys

Best for:

• Simplicity
• Most production workloads

🔹 C. Customer-Managed Keys (CMK)#

• You can bring your own encryption keys.

Requires:

• Key stored in Azure Key Vault
• User-assigned managed identity

Key permissions:

• Get
• WrapKey
• UnwrapKey

Benefits:

• ✔ Regulatory compliance ✔ Full control over key lifecycle ✔ Ability to revoke access instantly

Docs:

🔹 D. Infrastructure Encryption#

• Optional second layer of encryption.

Adds:

• ✔ Double encryption at infrastructure level ✔ Extra compliance assurance

Important:

• ⚠ Must be enabled at storage account creation ⚠ Cannot be changed later

3️⃣ Encryption in Transit#

• Setting: Secure transfer required

When enabled:

• ✔ Only HTTPS allowed ❌ HTTP blocked

This prevents:

• Man-in-the-middle attacks
• Plain-text data transmission
• Recommended: Always enabled (default).

Docs:

4️⃣ Authentication Layers Explained#

There are two distinct layers:

🔹 1. Management Plane#

Controls:

• Storage account settings
• Configuration
• Networking
• Key settings

Managed via:

• Azure RBAC

🔹 2. Data Plane#

Controls:

• Blob access
• File access
• Queue messages
• Table entities

Can use:

• Access Keys
• SAS
• Microsoft Entra ID
• Understanding this distinction is critical for exams.

5️⃣ Access Keys#

Every storage account includes:

• ✔ Key1 ✔ Key2

Characteristics:

• Full root-level access
• Covers management + data plane
• Unlimited permissions

Use case:

• Legacy apps
• Simplified connection strings

Risk:

• ❗ Too much privilege ❗ Hard to audit

🔹 Key Rotation Strategy#

Use dual-key model:

• App uses Key1
• Switch app to Key2
• Regenerate Key1
• Repeat cycle

If you regenerate without switching:

• Application breaks immediately.

Docs:

6️⃣ Shared Access Signatures (SAS)#

SAS provides:

• ✔ Limited access ✔ Time-bound access ✔ Permission-scoped access
• Instead of giving full access key, you generate a token.

🔹 SAS Levels#

1. Account-level SAS#

Grants access to:

• Multiple services
• Entire storage account

2. Service-level SAS#

Grants access to:

• Specific container
• Specific service (Blob, File, etc.)

3. Object-level SAS#

Grants access to:

Single blob

🔹 SAS Controls#

You can restrict:

• ✔ Start time ✔ Expiry time ✔ Permissions (Read, Write, Delete, List, etc.) ✔ IP address range ✔ Allowed protocols (HTTPS only recommended)

Docs:

7️⃣ User Delegation SAS (More Secure)#

Instead of signing with account key:

Use:

• Microsoft Entra identity

This is called:

• User Delegation SAS

Benefits:

• ✔ No storage account keys required ✔ Azure RBAC enforced ✔ Better security model
• Recommended for modern architectures.

8️⃣ Stored Access Policies#

Stored Access Policies allow:

• ✔ Centralized management of SAS tokens ✔ Modify or revoke multiple SAS tokens at once

How it works:

• Create policy on container
• Attach SAS tokens to that policy
• Modify policy → affects all attached SAS tokens

This solves:

• Problem of "unrevokable" SAS tokens.

Docs:

9️⃣ Disabling Key-Based Access#

You can disable:

• Storage account key access

Then only allow:

• Microsoft Entra ID authentication
• This enforces stronger identity-based access control.
• Recommended for enterprise security.

🔟 Security Architecture Summary#

Azure Storage Security Stack:

Layer 1: Encryption at Rest (SSE) Layer 2: Encryption in Transit (HTTPS) Layer 3: Authentication (Keys / SAS / Entra ID) Layer 4: Authorization (RBAC / Policies) Layer 5: Key Rotation & Governance

11️⃣ Best Practice Recommendations#

✔ Keep Secure transfer enabled ✔ Use Microsoft Entra ID over access keys ✔ Prefer User Delegation SAS ✔ Rotate access keys regularly ✔ Use Stored Access Policies ✔ Use CMK if compliance requires ✔ Disable key access in enterprise environments

12️⃣ Common Exam Pitfalls#

🚩 Access keys provide limited access → False 🚩 SAS can be time-restricted → True 🚩 Infrastructure encryption can be changed later → False 🚩 Encryption at rest must be manually enabled → False 🚩 You can revoke SAS by deleting policy → True

13️⃣ Real-World Security Model Example#

Enterprise secure design:

• CMK with Azure Key Vault
• Infrastructure encryption enabled
• Secure transfer required
• Key access disabled
• RBAC enforced
• User Delegation SAS for temporary sharing
• Lifecycle management for old data
• Access logs enabled

14️⃣ Deep Concept: Why Keys Are Risky#

Access keys:

• Bypass RBAC
• Grant full control
• Hard to audit
• Often embedded in code

Modern recommendation:

Move toward:

• Identity-based authentication (Entra ID + RBAC)

15️⃣ Complete Security Flow Example#

• User authenticates via Entra ID
• RBAC determines permissions
• Blob request over HTTPS
• Data encrypted at rest
• Optional CMK used
• Optional infrastructure encryption applied
• This provides end-to-end protection.

Final Summary#

Securing Azure Storage involves:

• Automatic encryption at rest
• Enforced HTTPS in transit
• Strong identity-based authentication
• Limited-scope SAS tokens
• Key rotation strategies
• Optional customer-managed encryption keys
• Stored access policies for centralized governance
• It is a layered security model combining encryption, identity, and access control.

If you'd like next:

• 🔐 Enterprise-grade storage security architecture blueprint
• 🧠 AZ-104 / AZ-204 exam questions on storage security
• 🏗 CMK + Key Vault deep technical flow
• 📊 Secure vs insecure configuration comparison
• 🛡 Zero-trust storage access design
• Tell me your goal (exam prep, architecture mastery, or enterprise design).