Fortifying Cloud Vaults: A Guide to Securing Cloud Storage – Part 2

As we proceed with our exploration of cloud storage services, we turn our consideration to Microsoft Azure, one of the leading cloud computing platforms within the industry. Azure offers a comprehensive suite of storage solutions tailored to meet the assorted needs of cutting edge businesses. In this second part of our multi-part Cloud Storage Security blog series, we dive into Azure Blob Storage, a scalable and cost-effective object storage service designed to store and manage unstructured data.

While Azure Blob Storage has its special qualities and capabilities, it shares common goals with AWS S3 and Google Cloud Capacity in prioritizing data security, scalability, and reliability. By understanding the subtleties of Azure Blob Storage and how it fits into the broader ecosystem of Azure services, organisations can saddle the total potential of the cloud to drive innovation, agility, and growth.

Azure Container Storage

Azure Container Storage refers to the storage solutions provided by Microsoft Azure specifically tailored for containerized applications. Azure Container Storage supports various storage options such as Azure Blob Storage, Azure Files, and Azure Disks, allowing developers to choose the most suitable storage type based on their application requirements. Here’s an overview of Azure Container Storage’s key features and capabilities:

  • Scalability: Azure Container Storage provides scalable storage solutions that can easily accommodate the growing needs of containerized applications.
  • Durability: It ensures high durability of data by replicating storage across multiple Azure data centres within the same region, reducing the risk of data loss.
  • Security: Azure Container Storage offers robust multi cloud security features such as encryption at rest and in transit, role-based access control (RBAC), and integration with Azure Active Directory for authentication and authorization.

Publicly Exposed Blob Containers

Risk: Medium

To safeguard your data from unauthorised access, ensure that public (anonymous) access is turned off for all blob containers within your Microsoft Azure storage accounts. Disabling public access at the storage account level supersedes any public access settings configured for individual blob containers within that storage account.

An individual accessing blob containers anonymously can utilise constructors that do not necessitate credentials, such as shared access signatures. It’s highly advised to disable anonymous access to all blob containers within your Azure storage accounts unless absolutely necessary.

How can we check, the Blob Container is publicly accessible ??

Initially, execute the “storage account list” command with custom query filters to describe the identifier (ID) of each storage account provisioned in the current subscription.

				
					az storage account list
--query '[*].id'

				
			

After obtaining the ID of the Azure storage account using the storage account list command, proceed to execute the storage account show command. Utilise the ID of the Azure storage account as the identifier parameter. This command will provide details about the public access status available for the blob containers within the selected storage account.

				
					az storage account show
--ids "<Storage_Account_ID>”
--query allowBlobPublicAccess

				
			

If the output of the “storage account show” command displays “true,” it signifies that anonymous users can read both the container and blob data. Consequently, the public access to the blob containers within the designated Azure storage account is not disabled.

How can we modify Blob Container’s access ??

Execute the “az storage account update” command, using the Azure storage account’s ID as the identifier parameter, to deactivate public access to all blobs or containers within the chosen storage account.

				
					az storage account update
--ids "<Storage_Account_ID>"
--allow-blob-public-access false


				
			

To modify public access to certain containers within your Microsoft Azure storage account:

				
					az storage container set-permission
--name <Storage_Container_Name>
--account-name <Account_Name>
--public-access off



				
			

Excessive Stored Access Policies

Risk Level: High

Ensure that your Microsoft Azure Storage shared access signatures (SAS) do not grant full access to your storage account resources through stored access policies. An SAS is a URI that provides restricted access rights to Azure Storage resources. It’s handy for securely granting temporary access to your storage account resources to clients lacking explicit permissions. Stored access policies offer extra control over service-level SAS, allowing management of constraints for one or multiple shared access signatures.

How can we check the Overly Permissive Store Access Policies ??

Execute the “storage account list” command with custom query filters to describe the identifier for each storage account available in the current Azure subscription.

				
					az storage account list
--query '[*].name'



				
			

Execute the “storage container list” command, specifying the name of the storage account as the identifier parameter. Apply custom query filters to list the containers available in the selected storage account.

				
					az storage container list
--account-name <Account_Name>
--query '[*].name'




				
			

Execute the “storage container policy list” command, specifying the name of the storage account and container as the identifier parameters. This command will provide details about the stored access policies for the selected container.

				
					az storage container policy list
--account-name abcdabcdabcd123412341234
--container-name <Container_Name>





				
			

If the output of the “storage container policy list” command shows a non-empty object (i.e., {}), it indicates that Stored Access Policies are enabled and active, but the confirmed stored access policy grants full access to the specified blob storage container data. Consequently, it deviates from the principle of least privilege.

How to revoke excessive permissions to Store Access Policies ?? 

Execute the “storage container policy update” command, providing the name of the storage account, blob container, and policy name as the identifier parameters. Use this command to update the stored Access Policy, ensuring it adheres to the principle of least privilege and avoids being overly permissive.

				
					az storage container policy update
--account-name <Account_Name>
--container-name <Container_Name>
--name tooPermissivePolicy
--start "<start_time>""
--expiry <Expiry_Time>
--permissions "<permissions_options>






				
			

Conclusion

Securing your cloud storage, particularly in Azure Storage Containers, is foremost for ensuring sensitive information and guaranteeing regulatory compliance. By implementing best practices, you’ll be able to mitigate risks and protect your organisation’s valuable resources.

Encryption plays a significant part in data protection, whether data is at rest or in transit. Utilising server-side encryption with keys managed by Azure includes an extra layer of security, ensuring that even in the event of unauthorised access, the data remains encrypted and inaccessible.

Furthermore, it is essential to restrict public access to storage resources.  Frequently auditing and removing any public access permissions in Azure Storage Containers is critical to prevent inadvertent exposure of sensitive information to the internet.

Additionally, managing cross-account get to is pivotal, particularly in scenarios where numerous groups or outside entities require access to the same storage resources.

In summary, securing Azure Storage Containers includes implementing encryption for data at rest and in transit, removing public access permissions to avoid unauthorised exposure, and managing cross-account access through vigorous IAM policies. By prioritising these security measures, businesses can unquestionably use the scalability and flexibility of Azure Storage while minimising associated risks.

Link of other part:

Part-1