Skip to main content

Securing Storage With Access Keys and Shared Access Signatures in Microsoft Azure

Hands-On Lab

 

Photo of Gary McLeary

Gary McLeary

Azure Training Architect I in Content

Length

00:30:00

Difficulty

Beginner

In this hands-on lab, we secure an existing Azure storage account and provide temporary access to the blob storage. We do this by utilizing the built-in security features in the Shared Access Signature Keys. This is important because we always want to give the least permissions and access level required for the individual to do their job. After completing this lab, you will be familiar with the following tasks. Forcing HTTPS access to the storage account. Restricting access to the storage account via IP address. Regenerating the Access Key. Creating a blob storage container. Obtaining the Access Key/Shared Access Signature. Limiting permissions to the storage objects.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Securing Storage With Access Keys and Shared Access Signatures in Microsoft Azure

Introduction

In this hands-on lab, we secure an existing Azure storage account and provide temporary access to the blob storage. We do this by utilizing the built-in security features in the Shared Access Signature Keys. This is important because we always want to give the least permissions and access level required for the individual to do their job.

Solution

  1. Log in to the Azure Portal using the credentials provided on the lab instructions page.

Regenerate the Access Key

  1. Click on the provided storage account.

  2. Click Access Keys under Settings.

  3. Click the regenerate icon next to key1.

  4. Click Yes in the popup warning window.

Create a SAS Token and Connection String with Limited Access Permissions

  1. Click Shared access signature under Settings.

  2. Under Allowed services, uncheck all the boxes except for Blob.

  3. Under Allowed permissions, uncheck the Delete permission.

  4. Under Start and expiry date/time, change the End date to be a date 30 days in the future.

  5. Click Generate SAS and connection string.

Configure the Firewall

  1. Click Firewalls and virtual networks under Settings.

  2. Select the Selected networks option.

  3. Check the box for Add your client IP address.

  4. Click Save.

Create a Container

  1. Click Blobs under Blob service.

  2. Click + Container at the top of the window.

  3. Under Name enter images.

  4. Make sure the Public access level is set to Private.

  5. Click OK.

Create a Virtual Folder and Upload an Image

  1. Click images.

  2. Click Upload at the top of the window.

  3. Select a file from your local system.

  4. Click Advanced.

  5. Under Upload to folder enter webimages.

  6. Click Upload.

Conclusion

Congratulations — you've completed this hands-on lab!