AZ 500 Securing Storage

Course: https://www.pluralsight.com/paths/az-500-microsoft-azure-security-technologies

Storage Account Access Control:

Access Keys-

https://github.com/microsoft/AzureStorageExplorer/releases

Access Policy:

Now while creating a shared access signature we can use this policy

Shared Access Signatures:

RBAC

Assigning a role to a user

Now just login as a Goku user in Data Explorer and we will be able to access the storage account.

User Delegation SAS:

az storage container generate-sas --account-name apnastorageacc1 --name apnacontainer1 --permissions acdlrw --expiry 2025-01-30 --auth-mode login --as-user

Authenticating to Azure Files via EntraID

It takes around 45 minutes

SQL Server Authentication:

Allowing EntraId user access to specific database-

CREATE USER [vegeta@circuitry.us.kg] FROM EXTERNAL PROVIDER;
ALTER ROLE "db_owner" ADD MEMBER "vegeta@circuitry.us.kg"

Now we can login as “vegeta“ user for “database1".

Vegeta user is able to access database1 in sql server.

Azure SQL Database: Always Encrypted

CREATE TABLE Customers (
    ID INT IDENTITY(1,1) PRIMARY KEY,
    Name NVARCHAR(50),
    CreditCard NVARCHAR(50)
);

INSERT INTO Customers (Name, CreditCard) VALUES ('John Doe', '1234-5678-9012-3456');
INSERT INTO Customers (Name, CreditCard) VALUES ('Jane Smith', '9876-5432-1098-7654');
INSERT INTO Customers (Name, CreditCard) VALUES ('Alice Johnson', '4567-8901-2345-6789');
INSERT INTO Customers (Name, CreditCard) VALUES ('Bob Brown', '3210-6543-0987-6543');
INSERT INTO Customers (Name, CreditCard) VALUES ('Charlie Davis', '7890-1234-5678-9012');
INSERT INTO Customers (Name, CreditCard) VALUES ('Eva Green', '2345-6789-0123-4567');
INSERT INTO Customers (Name, CreditCard) VALUES ('Frank White', '6789-0123-4567-8901');
INSERT INTO Customers (Name, CreditCard) VALUES ('Grace Black', '5432-1098-7654-3210');
INSERT INTO Customers (Name, CreditCard) VALUES ('Henry Wilson', '8901-2345-6789-0123');
INSERT INTO Customers (Name, CreditCard) VALUES ('Ivy Taylor', '1098-7654-3210-9876');

Encrypting columns-

Dynamic Data Masking:

Note: DB Administrators or high-privileged roles will not see data in masked format.

Database Auditing:

Tracks changes in the database.

It can be configured at both the server and database levels.