Last Updated on June 2, 2024 by Arnav Sharma
On May 17 2023, Microsoft said it would stop allowing anonymous access and cross-tenant replication as the default in Azure Storage.
Microsoft will implement this new method in August, which will only apply to brand-new Azure Storage customers.
Azure Storage container data may now have public and anonymous access settings set by individuals with the appropriate administrator credentials. This situation poses a potential threat to the safety of businesses.
As per Microsoft:
A container can be made accessible to the public by anybody with access to the associated storage account. When public access is enabled, any authorised user can change the public access option of a container to grant anonymous users access to the contents of that container.
For new Azure Storage accounts, Microsoft will change this “beginning in August 2023.” Microsoft plans to follow standard security practises and decrease the risk of data exfiltration by disabling “anonymous access and cross tenant replication for all new storage accounts by default.”
By design, Microsoft already blocks anonymous users from accessing Azure containers. As of August, new Azure Storage accounts will be subject to a policy change that aligns with this security standard.
Existing Azure Storage accounts will not automatically be updated, however. However, businesses who use the unprotected default configuration are urged to “follow best practices for security and disable anonymous access and cross-tenant replication settings if these capabilities are not required for your scenarios.”
After the rollout:
- All newly created storage accounts will use the updated defaults for both configurations, whether made via the latest version of the storage REST API, PowerShell, CLI, SDKs, portal, Azure Storage Explorer, or Terraform.
- Storage accounts must be configured anonymously if an application needs anonymous access to containers/blobs.
- This option should be set to true for applications that need cross-tenant replication.
- A change to the automation scripts, ARM templates, or other tools may be necessary to enable these features on the new storage account.
- A modification in Azure policy to restrict access to only authorised accounts for storage with a “Deny” effect or to require replication within the same tenancy should have no bearing on newly created accounts.
FAQ:
Q: How do you create a storage account in Azure?
AA: To create a storage account in Azure, you can use the Azure Portal or automate the process via Azure Resource Manager templates or PowerShell scripts. The process typically involves selecting the type of storage account, such as a general-purpose v2 storage account or a Blob storage account, and configuring the relevant settings such as the account name, access tier, and region. Detailed guidance can be found on Microsoft Learn or by exploring the ‘Create a storage account’ options within the Azure portal.
Q: What are the available access tiers for a storage account in Azure, and how do they differ?
AA: Azure offers several access tiers for blob data, including the Hot, Cool, and Archive tiers. These tiers are designed to manage costs by aligning the storage costs with the frequency of access: Hot tier for frequently accessed data, Cool tier for infrequently accessed data, and Archive tier for rarely accessed data. The default access tier setting can be specified when the account is created, and you can change the tier as needed using the ‘Set Blob Tier’ operation.
Q: What is Microsoft Entra and how does it integrate with Azure storage accounts?
AA: Microsoft Entra is a security and identity service that provides comprehensive authorization solutions across Microsoft Azure platforms. Entra authorization in the Azure portal allows for more controlled and secure access to storage accounts, utilizing Azure role-based access control to manage permissions effectively. By default, new storage accounts can default to Microsoft Entra authorization, ensuring that access is securely managed from the outset.
Q: How do you determine the storage account type and name within the Azure portal?
AA: Within the Azure portal, you can determine the type of storage account (such as general-purpose v2 or Blob storage) and the storage account name by navigating to the specific storage account’s dashboard. This information is part of the storage account settings and is crucial for configuring and managing data access and storage solutions tailored to organizational needs.
Q: Can you describe the process for changing the access tier setting for an existing Azure Blob storage account?
AA: Changing the access tier for an existing Azure Blob storage account involves calling the ‘Set Blob Tier’ operation, either through the Azure Portal or programmatically via Azure SDKs. This operation allows you to move individual blobs from one tier to another (e.g., from Hot to Cool or Archive), depending on your data access needs and cost optimization strategies. The access tier setting for the storage account itself indicates the default tier for new blobs but can also be adjusted to reflect changes in data access patterns.
Q: What are some key considerations when setting up a new storage account in Azure?
AA: When setting up a new storage account in Azure, it is essential to consider the account’s access tier, the type of storage account, and the Azure region in which it is created. You must also ensure the storage account name is unique within Azure DNS zones and complies with Microsoft’s naming conventions and terms of use. Additionally, understanding the storage options and pricing through the Azure storage pricing page can help in making informed decisions about data storage and management.
Q: What is the significance of using Microsoft Entra for authorization in Azure storage accounts?
AA: Using Microsoft Entra for authorization in Azure storage accounts enhances security by leveraging advanced identity and access management features. This setup ensures that storage accounts are only accessible to users and services with the proper permissions, significantly reducing the risk of unauthorized access and data breaches. This integration is part of Microsoft’s recommendation for securing storage resources in most scenarios, especially when handling sensitive or critical data.
Q: What are the different types of storage accounts available in Azure?
A: Azure offers several types of storage accounts, each tailored for specific needs. The primary types include the general-purpose v2 account, which supports blobs, file shares, queues, and tables, and is recommended by Microsoft for most scenarios. Another type is the Data Lake Storage Gen2, which is ideal for big data analytics. There are also specialized accounts like the legacy blob storage account, which is now less commonly used with the advent of more advanced options
Q: How does Azure handle data security and access management?
A: Azure ensures data security and access management through various features and settings. One fundamental method is via Azure role-based access control (RBAC), which manages who has access to Azure resources and what they can do with those resources. Microsoft also recommends using Microsoft Entra for authorization in the Azure portal, which is a newer, integrated security solution providing advanced identity and access management
Q: What are the default settings and options for configuring access tiers in Azure Storage accounts?
A: Azure Storage accounts have a default access tier setting that indicates the data accessibility speed and cost. The three main access tiers are Hot, Cool, and Archive. The default can be set during the creation of the storage account, and if not set, the blob’s access tier is inferred from the account’s default. Users can change the default access tier or apply the set blob tier operation to individual blobs to adjust their access tiers according to their current needs
Q: How does the unique storage account name benefit Azure users?
A: The unique namespace for an Azure storage account ensures that every storage entity (blob, file, queue, table) is accessed through a unique path that includes the storage account name. This namespace allows for the organized and isolated storage of data, which helps in managing and retrieving data efficiently across the globe. Storage account names must be unique across Azure, which helps in maintaining clear and unambiguous access paths for storage resources
Q: What is Microsoft Entra and how is it utilized in Azure?
A: Microsoft Entra is an authorization and access management solution integrated within Azure, designed to replace traditional security models with a more unified approach that encompasses all Microsoft cloud services. It provides robust security updates and configurations that streamline the management of resource access on the Azure platform. By default, Azure storage accounts now use Microsoft Entra authorization to manage access, enhancing security and simplifying administrative tasks
use azure