In the Azure portal, search for "Storage accounts" and select it.
Create a New Storage Account: Click on "+ Create." Select "Create new" for the Resource group, provide a name, and click "OK." Provide a unique storage account name.
Move to the "Encryption" tab and check "Enable infrastructure encryption." Review the warning that this option cannot be changed after creation.
Click "Review + Create" and wait for the deployment to complete.
Step 2: Provide a Managed Identity. Search for and select "Managed identities." Click "Create." Select your resource group and provide a name for the managed identity. Click "Review + create," then "Create."
Assign Permissions to the Managed Identity: Search for and select your storage account. Go to the "Access Control (IAM)" blade and click "Add role assignment." Search for and select the "Storage Blob Data Reader" role.
On the Members page, select "Managed identity," then "User-assigned managed identity." Select your managed identity and click "Select." Click "Review + assign" twice to confirm.
Step 3: Secure Access with Key Vault and Key. Search for and select "Resource groups." Select your resource group and go to the "Access Control (IAM)" blade. Click "Add role assignment," search for and select the "Key Vault Administrator" role. Select "User, group, or service principal," then your user account. Click "Review + assign" twice to confirm.
Create a Key Vault: Search for and select "Key vaults," then click "Create". Select your resource group and provide a unique name for the key vault. Ensure "Azure role-based access control (recommended)" is selected on the Access configuration tab. Click "Review + create," wait for validation, then click "Create."
Ensure both Soft-delete and Purge protection are enabled.
Create a Customer-Managed Key: In the key vault, go to the "Keys" blade and select "Generate/Import." Name the key and take the defaults for the rest of the parameters. Click "Create."
Step 4: Configure Storage Account to Use Customer-Managed Key. Search for and select "Resource groups". Select your resource group and go to the "Access Control (IAM)" blade. Click "Add role assignment," search for and select the "Key Vault Crypto Service Encryption User" role. On the Members page, select "Managed identity," then "User-assigned managed identity." Select your managed identity and click "Select." Click "Review + assign" twice to confirm.
Configure Storage Account Encryption: Return to your storage account and go to the "Encryption" blade under the Security + networking section. Select "Customer-managed keys," then select your key vault and key. Ensure the Identity type is "User-assigned" and select your managed identity. Click "Add" and save your changes.
Step 5: Configure Time-Based Retention Policy and Encryption Scope. In your storage account, go to "Containers" and create a container called "hold".
Upload a file to the container. In the "Settings" section, select the "Access policy" blade. Add a policy with the type "time-based retention" and set the retention period to 5 days. Save your changes and verify that deleting the file fails due to the policy.
Create Encryption Scope: Navigate back to your storage account and select "Encryption" under the Security + networking blade. In the "Encryption scopes" tab, click "Add." Provide a name for the encryption scope and set the Encryption type to "Microsoft-managed key." Enable Infrastructure encryption and create the encryption scope.
Top comments (0)