https://github.com/epomatti/azure-storage-security
Azure Storage security features
https://github.com/epomatti/azure-storage-security
azure azure-blob azure-security azure-storage cmk terraform
Last synced: 7 months ago
JSON representation
Azure Storage security features
- Host: GitHub
- URL: https://github.com/epomatti/azure-storage-security
- Owner: epomatti
- License: mit
- Created: 2023-12-10T23:21:45.000Z (almost 2 years ago)
- Default Branch: main
- Last Pushed: 2023-12-31T23:35:28.000Z (almost 2 years ago)
- Last Synced: 2025-01-17T18:34:53.813Z (9 months ago)
- Topics: azure, azure-blob, azure-security, azure-storage, cmk, terraform
- Language: HCL
- Homepage:
- Size: 43 KB
- Stars: 0
- Watchers: 2
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Azure Storage Security
Implementing advanced security features with Azure Storage services.
Set the initial variables:
```sh
cp config/template.tfvars .auto.tfvars
```
Create the test infrastructure and storage:
```sh
terraform init
terraform apply -auto-approve
```
Use the Portal to create the containers `app1` and `app2` with the respective encryption scopes.
Do not enforce default for all blobs, so it is possible to test the scenarios with the app in this repository.
## Performance
From the documentation:
> - **Standard** allows you to have any data service (Blob, File, Queue, Table) and uses magnetic disk drives.
> - **Premium** provides more services for storing data. For example, storing unstructured object data as block blobs or append blobs, and specialized file storage used to store and create premium file shares. These storage accounts use solid-state drives (SSD) for storage.
Additional comment on number of storages:
> Typically, your data diversity, cost sensitivity, and tolerance for management overhead determine the number of storage accounts you need.
## Common usages
- Browser uploads
- Distributed access
- Streaming data
- Archiving and recovery
- Application access
## Public Access Level
- **Private**: (Default) Prohibit anonymous access to the container and blobs.
- **Blob**: Allow anonymous public read access for the blobs only.
- **Container**: Allow anonymous public read and list access to the entire container, including the blobs.
## Access Tiers
Check the documentation: [Access Tiers][3]
## Blob types
- Block: Binary or text files
- Append: Logs
- Page: Disks
## Authorization
Check the documentation for [authorization options][4].
## User Delegated SAS
Must use the REST API.
## Stored Access Policy
Must use the [REST API][5].
## Azure Files Authentication
TODO: Need to implement this.
## Networking
### Service Endpoints
Connection via Service Endpoints where subnet should have `Microsoft.Storage` endpoint assigned.
### Private Link
Check the private DNS zones for [Storage][1].
## Access Policies
- Stored access policies
- Immutable blob storage
- Legal hold
- Time-based retention
[1]: https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#storage
[2]: https://learn.microsoft.com/en-us/training/modules/create-azure-storage-account/2-decide-how-many-storage-accounts-you-need
[3]: https://learn.microsoft.com/en-us/training/modules/configure-blob-storage/4-create-blob-access-tiers
[4]: https://learn.microsoft.com/en-us/training/modules/configure-storage-security/2-review-strategies
[5]: https://learn.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy