In today's world, cloud applications require more safety and security so that it's storage resources can not be fully accessed by just anyone and this safety measures are made possible through access keys, managed identities roles, Roles Based Access Control RBAC and immutable storage policies.
In this exercise, we will configure secure Azure storage access while exploring identity -based authentication and protected immutable storage.
By the end of this exercise, you'll have learned how to:
1)Configure secure Azure Storage access
2)Use Managed Identities for authentication
3)Implement Azure RBAC
4)Configure immutable blob storage policies
One might wonder what is Managed Identities and RBAC.
Managed Identities is an Azure resources that securely authenticate to other Azure services without storing credentials inside application code.
and;
RBAC which is Role Base Access Control is another Azure resources that helps mange who or what can have access to azure resource, what they can perform, when they can perform it and how long they can perform it.
These two features, help eliminate hardcoded credentials, control access permissions in a centralized way, improve overall cloud security and supports least-privilege access principles.
So let's get started.
Believing you have an Azure account, log into your portal and look up storage account
Next step we select +Create
Then we create a new resource group, choose a name that is globally unique, and go to the review and create at the bottom
we move to the Encryption page and make some edits there
Then review and create.
Step 2: Next we create Managed Identities
to do this we look up for managed identity on the search bar.
Search for and select Managed identities.
Select Create.
Select your resource group.
Give your managed identity a name.
Select Review and create, and then Create.
Step 3: This step involves assigning the correct permissions to the managed identity we just created, the identity only needs to read and list containers and blobs. To begin, lets go back to the storage account.
Search for storage account
In your recent storage account earlier created, mines is "may30thstorageacct", in yours , search for the IAM blade and select add role assignment(at the center of the page)
Then we look up and move to the members page and follow the annotated image
Then we review and create.
Your storage account can now be accessed by a managed identity with the storage blob reader permissions.
Step 4: This step entails us securing access to the storage account with a key that will be kept in our key vault.
In the portal, search for and select Resource groups.
Select your resource group, and then the Access Control (IAM) blade.
Select Add role assignment (center of the page).
Search for key vault administrator role just like we did in the last one, move to the members page and click on user, group or principal.
Step 5:In the portal, search for and select Key vaults.
Select Create.
Select your resource group.
Provide the name for the key vault. The name must be unique.
Ensure on the Access configuration tab that Azure role-based access control (recommended) is selected.
Select Review + create.
Wait for the validation checks to complete and then select Create.
After the deployment, select Go to resource.
On the Overview blade ensure both Soft-delete and Purge protection are enabled.
Create a customer-managed key in the key vault.
next
It's now time to create a customer-managed key in the key vault
Now we have to configure the storage account so the customer can use the customer managed key in the key vault.
In the portal, search for and select Resource groups.
Select your resource group, and then the Access Control (IAM) blade.
Select Add role assignment (center of the page).
On the Job functions roles page, search for and select the Key Vault Crypto Service Encryption User role.
On the Members page, select Managed identity.
Select Select members, in the Managed identity drop-down select User-assigned managed identity.
Select your managed identity.
Click Select and then Review + assign.
Select Review + assign a second time to add the role assignment.
Step 5 continued
Return to your the storage account.
In the Security + networking section, select the Encryption blade.
Select Customer-managed keys.
Select a key vault and key. Select your key vault and key.
Select to confirm your choices.
Ensure the Identity type is User-assigned.
Select an identity.
Select your managed identity then select Add.
Save your changes.
If you receive an error that your identity does not have the correct permissions, wait a minute and try again.
Step 6:
Navigate to your storage account.
In the Data storage section, select the Containers blade.
Create a container called hold. Take the defaults. Be sure to Create the container.
Upload a file to the container.
In the Settings section, select the Access policy blade.
In the Immutable blob storage section, select + Add policy.
For the Policy type, select time-based retention.
Set the Retention period to 5 days.
Be sure to Save your changes.
Try to delete the file in the container.
Verify you are notified failed to delete blobs due to policy.
Step 7 : We need to enable infrastructure encryption as a security measure.
Navigate back to your storage account.
In the Security + networking blade, select Encryption.
In the Encryption scopes tab, select Add.
Give your encryption scope a name.
The Encryption type is Microsoft-managed key.
Set Infrastructure encryption to Enable.
Create the encryption scope.
Return to your storage account and create a new container.
Notice on the New container page, there is the Name and Public access level.
Notice in the Advanced section you can select the Encryption scope you created and apply it to all blobs in the container.
Cleanup your resources
If you are working with your own subscription and have completed these labs, take a minute to delete the lab resources. This will ensure resources are freed up and cost is minimized. The easiest way to delete the lab resources is to delete the lab resource group.
In the Azure portal, select the resource group, select Delete the resource group, Enter resource group name, and then click Delete.
Using Azure PowerShell, Remove-AzResourceGroup -Name resourceGroupName.
Using the CLI, az group delete --name resourceGroupName.
Conclusion
Congratulations on successfully configuring secure Azure Storage access using Managed Identities, RBAC, and immutable storage policies.
In this lab, we explored how Azure security features can help organizations protect storage resources while simplifying authentication and access management.
Some key takeaways from this lab include:
Managed Identities eliminate the need for hardcoded credentials
Azure RBAC enables centralized access management
Immutable storage helps protect critical data from modification or deletion
Identity-based authentication improves cloud security posture
By completing this exercise, you have taken another important step in building practical Azure security and cloud administration skills.
Top comments (0)