Securing Storage and Microsoft AZ-104 Certification Exams Configure a VHD template,Configuring Azure Blob storage,Exams of Microsoft AZ-104,Microsoft AZ-104 Exams Further reading – Securing Storage

Further reading – Securing Storage

2024-01-012024-01-01| Veronica HernandezVeronica Hernandez| 0 Comment| 2:53 AM
Categories:

Further reading

That brings an end to this section. We have learned about VNet integration for the storage accounts and the different options available. In the next section, we will explore managing access keys.

We encourage you to read up on this topic further by using the following links:

• Configuring firewalls and VNets: https://docs.microsoft.com/en-us/ azure/storage/common/storage-network-security?tabs=azure-portal#change-the-default-network-access-rule

• Private endpoints for your storage accounts: https://docs.microsoft. com/en-us/azure/storage/common/storage-private-endpoints

• Private Link resources: https://docs.microsoft.com/en-us/azure/ private-link/private-endpoint-overview#private-link-resource

Storage access keys

Storage access keys are like passwords for your storage account and Azure generates two of these when you provision your account, being a primary and secondary key. Just like passwords, they need to be changed from time to time to ensure you are not compromised. This practice is referred to as key rotation. In the following section, we will run through an example of how to access your keys and how to renew them.

Managing access keys

In this demonstration, we will explore how to view access keys as well as how to renew them:

  1. Navigate to the Azure portal by opening https://portal.azure.com.
  2. Go to a storage account.
  3. On the left menu for the storage account, clickAccess keys under the Security + networking context. You will notice key1 and key2, as well as the last rotated date for each specified.
  4. To copy the access keys, a two-step process will be performed. First, click on Show keys.

Figure 7.12 – Show keys

  1. Then, copy the corresponding key for the storage account by clicking the clipboard icon.

Figure 7.13 – Copying an access key

Now that you know how to access the storage access keys, we will look at how to rotate keys in the following exercise:

  1. Navigate to the Azure portal by opening https://portal.azure.com.
  2. Go to a storage account.
  3. On the left menu for the storage account, clickAccess keys under the Security + networking context. Click Rotate key in the key2 section.

Figure 7.14 – Rotate key option

  1. A notification will come up to confirm that you want to regenerate the key. Click Yes.

Figure 7.15 – Regenerate access key

  1. Repeat the process for key1.

You have now completed a key rotation for a storage account. This ensures unauthorized access is prevented on the storage keys and it is best practice to rotate these keys every

90 days. As a recommendation, key2 should be rotated first and updated for any relevant applications and services, then followed by key1. This process ensures that the primary key (key1) is not directly impacting all business-critical services and causing unnecessary downtime. The rotation process should still be properly planned and maintained through an appropriate change control process within your organization.

Top Tip

As a best practice, keys should be rotated every 90 days to prevent unauthorized exposure to the account. This will also limit the potential attack window for compromised SAS tokens.

In the next section, we will explore SAS tokens.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Post