INTRODUCTION
Providing secure and scalable storage for a new company application is a foundational step in cloud architecture. A properly configured Azure Storage account ensures high availability, data protection, controlled access, and compliance with security best practices. In this exercise, we deploy and configure storage resources that support the application while maintaining strong security and governance standards.
IMPLEMENTATION STEPS
1.Create the Storage Account with Infrastructure Encryption
π― Objective:
Provision a secure storage account for a web application with infrastructure-level encryption enabled.
π οΈ Steps:
1i.Go to Storage accounts
1ii.βclick on + Create.
2.Create a new Resource group.
3.Provide a globally unique Storage account name.
4.Navigate to the Encryption
5.Enable Infrastructure encryption (note: this cannot be changed after creation).
6.Select Review + Create β Create.
7.After deployment, select Go to resource.
2.Create and Configure a Managed Identity
2a.Create a User-Assigned Managed Identity
π― Objective:
Provide secure, passwordless authentication for the web app.
π οΈ Steps:
1i.Search for Managed identities
1ii. β Click +Create.
2.Select your resource group.
3.Provide a name for the manage identity.
4.Select Review + Create β Create.
2b.Assign Storage Permissions to the Managed Identity
π― Objective:
Grant the identity read-only access to blobs and containers.
π οΈ Steps:
1.Open the Storage account.
2.Go to Access Control (IAM).
3.Select Add role assignment.
4.Choose the role Storage Blob Data Reader.
5.Under Members, select Managed identity.
6.Choose User-assigned managed identity.
7.Select your managed identity.
8.Click Review + assign.
β Result:
The managed identity can securely read and list blobs without using storage keys.
3.Secure Access with Key Vault and Customer-Managed Key
3a.Assign Key Vault Administrator Role
π― Objective:
Grant your user account permissions to manage keys.
π οΈ Steps:
1i.Go to Resource group
1ii. Navigate to β Access Control (IAM).
2.Select Add role assignment.
3.Assign the Key Vault Administrator role to your user account.
4.Select Review + assign.
3b.Create a Key Vault
π― Objective:
Store encryption keys securely.
π οΈ Steps:
1i.Search for Key vaults.
1ii. Select β + Create.
2.Select your resource group.
3.Provide a globally unique name.
4.Ensure Azure role-based access control is selected.
5.Select Review + Create β Create.
6.After deployment, verify Soft-delete and Purge protection are enabled.
3c.Create a Customer-Managed Key
π― Objective:
Generate a key to control storage encryption.
π οΈ Steps:
1.In the key vault, select Keys β Generate/Import.
2.Provide a name.
3.Accept defaults.
4.Select Create.
4.Configure Storage Account to Use Customer-Managed Key
4a.Assign Crypto Role to Managed Identity
π― Objective:
Allow the managed identity to access the encryption key.
π οΈ Steps:
1i.Go to Resource group.
1ii. Select β Access Control (IAM).
2.Select Add role assignment.
3.Choose Key Vault Crypto Service Encryption User.
4.Select Managed identity β User-assigned.
5.Choose your managed identity.
6.Select Review + assign.
4b. Enable Customer-Managed Keys on Storage Account
π― Objective:
Configure storage to use the Key Vault key for encryption.
π οΈ Steps:
1.Open the Storage account.
2.Navigate to Security + networking β Encryption.
3.Select Customer-managed keys.
4.Choose your Key vault and key.
5.Set Identity type to User-assigned.
6.Select your managed identity.
7.Click Save.
β Result:
The storage account now uses a customer-managed key stored in Azure Key Vault.
5.Configure Time-Based Retention Policy (Immutable Storage)
π― Objective:
Prevent modification or deletion of files for a fixed retention period.
π οΈ Steps:
1.Go to Storage account β Containers.
2.Create a container named hold.
3.Upload a file.
4.Go to Settings β Access policy
5.Under Immutable blob storage, select + Add policy.
6.Select Time-based retention
7.Set retention period to 5 days.
8.Save changes.
9.Attempt to delete the file.
10.Confirm deletion fails due to policy.
β Result:
Files cannot be modified or deleted until the retention period expires.
6. Configure an Encryption Scope
π― Objective:
Create an encryption scope with infrastructure encryption enabled.
π οΈ Steps:
1.Go to Storage account β Security + networking β Encryption.
2.Select the Encryption scopes tab.
3.Click Add.
4.Provide a name.
5.Set:
β’Encryption type: Microsoft-managed key
β’Infrastructure encryption: Enable
6.Create the encryption scope.
7.Create a new container.
8.Under Advanced, select the encryption scope.
9.Apply it to all blobs in the container.
β Result:
Blobs within the container are encrypted using the defined encryption scope with infrastructure encryption enabled.
π‘ Key Outcomes
β
Storage account secured with infrastructure encryption.
β
Managed identity configured for secure authentication.
β
Customer-managed encryption key stored in Azure Key Vault.
β
Immutable storage enforced with time-based retention.
β
Encryption scope created for granular encryption control.
Top comments (1)
welldone