Tutorial / Cram Notes
Azure Active Directory Credentials
Azure Active Directory is the primary method for identity management in Azure. It provides access control through roles and built-in policies. For managing access with Azure AD, you will be utilizing Role-Based Access Control (RBAC).
Best Practices:
- Assign the least privilege necessary using Azure RBAC roles.
- Regularly review and audit access permissions.
Example:
To grant a user read-only access to a virtual machine:
- Go to Azure Portal.
- Navigate to the specific VM’s page.
- Under IAM, click Add role assignment.
- Select Reader from the role list, then assign to the user.
Shared Access Signatures
A shared access signature (SAS) is a URI that grants restricted access rights to Azure Storage resources. It’s used for providing fine-grained access control to containers, blobs, queues, and tables.
SAS Types:
- Service SAS: Grants access to specific resources within a storage account.
- Account SAS: Grants access to resources in one or more services in a storage account.
Best Practices:
- Use SAS tokens with the least privileges required.
- Keep the SAS token validity period as short as possible.
- Avoid distributing SAS tokens publicly.
Example:
Creating a Service SAS for a blob container:
- Open Azure Storage Explorer.
- Navigate to the blob container.
- Right-click the container and select Get Shared Access Signature.
- Configure the SAS settings and click Create.
Storage Account Keys
Access to Azure Storage accounts is secured with two 512-bit storage account access keys. These keys control access to everything in the storage account.
Best Practices:
- Rotate keys periodically.
- Use Azure Key Vault for storing and managing your access keys.
- Employ SAS wherever possible instead of using account keys directly.
Example:
Rotating storage account keys:
- Navigate to the Access keys section of your Storage Account in Azure Portal.
- Click on Regenerate key for either key1 or key2.
- Update any stored credentials with the new key value.
Service Principal Keys
Service Principals provide a way for applications to login with an identity separate from a user’s and is typical when an application needs to access resources or perform actions in Azure.
Best Practices:
- Use automated tools like Azure CLI or PowerShell to manage service principals.
- Rotate service principal keys periodically.
- Avoid hard-coding keys in your applications; use environment variables or Key Vault instead.
Example:
Creating a service principal with Azure CLI:
az ad sp create-for-rbac –name MyApp –role contributor –scopes /subscriptions/{SubID}/resourceGroups/{ResourceGroup1}
This command creates a new service principal named MyApp with contributor role in the specified subscription and resource group.
Key Management Comparison
| Feature | Azure AD | Shared Access Signature | Storage Account Keys | Service Principal |
|---|---|---|---|---|
| Granularity | Fine | Fine | Coarse | Fine |
| Scope | Role-based/Resource scope | Resource level | Account level | Role-based/Resource scope |
| Lifetime | Permanent until revoked | Configurable | Permanent until regenerated | Depends on configuration |
| Rotation | Not needed | Recommended: After expiration or breach | Recommended periodically | Recommended periodically |
As an Azure Administrator, it is important to ensure that all access keys are managed securely and in accordance with best practices. Regular audits and adherence to the principle of least privilege will greatly reduce the chances of unauthorized access and potential security breaches. Monitoring and logging are also recommended so that you can respond quickly to any irregularities in access patterns, ensuring the ongoing security of your Azure resources.
Practice Test with Explanation
True/False: It is recommended to use shared access keys for service-to-service authentication whenever possible.
- False
It is recommended to use Azure Managed Identities instead of shared access keys for service-to-service authentication, as it provides an identity for the service without the need for credentials to be stored in code.
True/False: Azure access keys can be regenerated without affecting the service that is using them.
- False
When you regenerate Azure access keys, any applications or services using these keys will need to be updated with the new key, causing a potential disruption in service.
Single select: What is a secure way to manage keys and secrets used by cloud applications and services in Azure?
- A) Azure Blob Storage
- B) Azure Active Directory
- C) Azure Key Vault
- D) Azure Table Storage
Answer: C) Azure Key Vault
Azure Key Vault is a cloud service that provides a secure store for secrets, keys, and certificates, allowing you to securely manage and control access to these credentials.
Multiple select: Which of the following can be used to manage access to Azure resources?
- A) Role-Based Access Control (RBAC)
- B) Access keys
- C) Shared Access Signatures (SAS)
- D) Network Security Groups (NSG)
Answer: A) Role-Based Access Control (RBAC), B) Access keys, C) Shared Access Signatures (SAS)
RBAC, access keys, and SAS are all used to manage access to Azure resources in different ways. NSGs are used to control inbound and outbound network traffic to Azure resources but not for managing access keys.
True/False: Storing access keys in configuration files is considered a best practice.
- False
Storing access keys in configuration files is not recommended as it can be a security risk; it is better to use Azure Key Vault or environment variables that are not checked into source control.
True/False: When using an Azure Managed Identity, you still need to manually rotate and manage access keys.
- False
Azure Managed Identities eliminate the need for developers to manage access keys manually since Azure takes care of the identity management automatically.
Single select: How many primary and secondary access keys are provided for each Azure Storage account for access authentication?
- A) One primary and no secondary access keys
- B) One primary and one secondary access key
- C) Two primary and two secondary access keys
- D) Only one primary access key
Answer: B) One primary and one secondary access key
Each Azure Storage account provides one primary and one secondary access key, which can be used to access the storage account for authentication and access.
True/False: Azure Storage Account access keys are automatically rotated by Azure.
- False
Azure does not automatically rotate access keys for Azure Storage Accounts. Users are responsible for rotating these keys periodically for security purposes.
Single select: When you regenerate an access key for an Azure service, what immediate action should you take?
- A) Change the access policies in Azure Key Vault
- B) Update the key within the services that use it
- C) Reboot the Azure service
- D) Take no action, the change is effective automatically without further steps
Answer: B) Update the key within the services that use it
After regenerating an access key, it is critical to update the key within any services that use it to avoid interruptions.
Multiple select: Which of the following statements are true regarding Shared Access Signatures (SAS)?
- A) SAS provide fine-grained access to resources in a secure manner.
- B) SAS are tied to the Azure account keys.
- C) SAS can be used without any expiration time.
- D) SAS are recommended over Managed Identities for most scenarios.
Answer: A) SAS provide fine-grained access to resources in a secure manner, B) SAS are tied to the Azure account keys.
SAS grant limited and fine-grained access to Azure resources and are tied to Azure account keys. However, they should have an expiration time set, and generally, Managed Identities are recommended where possible due to their ease of management and enhanced security over shared keys.
True/False: Access keys are the only method available for authenticating access to Azure Storage services.
- False
Azure provides other authentication methods such as Azure Active Directory (Azure AD) and Shared Access Signatures (SAS) in addition to access keys.
Single select: What should an administrator use to automatically rotate secrets and keys in Azure?
- A) Azure Automation
- B) Azure Advisor
- C) Azure Key Vault with event-driven automation
- D) Azure Security Center
Answer: C) Azure Key Vault with event-driven automation
Azure Key Vault can be combined with event-driven automation, like Azure Functions or Logic Apps, to automatically rotate secrets and keys as required.
Interview Questions
What are access keys in Azure Storage?
Access keys are two 512-bit base64-encoded keys generated by Azure for each storage account that provide a way to authenticate and access the account’s contents.
What is the purpose of managing access keys?
Managing access keys allows you to control and revoke access to your storage accounts, reducing the risk of unauthorized access and data breaches.
How can you view the access keys for a storage account?
You can view the access keys for a storage account in the Azure portal or by using Azure PowerShell or Azure CLI.
Can access keys be regenerated for a storage account?
Yes, you can regenerate either the primary or secondary access key for a storage account at any time.
What happens if you regenerate an access key?
Regenerating an access key invalidates the old key, so any application or user that was using the old key to access the storage account will need to be updated with the new key.
Can you restrict access to a storage account by using access policies?
Yes, you can create shared access signatures (SAS) that limit access to specific resources and operations within a storage account. These SAS tokens can be created using stored access policies.
How do you revoke access for a user or application that is using an access key?
To revoke access for a user or application, you can regenerate the access key for the storage account. This will invalidate the old key and require the user or application to update their credentials.
Can you use access keys to access resources in different storage accounts?
Yes, you can use access keys to access resources in any storage account that shares the same Azure subscription as the storage account where the access keys were generated.
Are there any restrictions on the length or complexity of access keys?
No, access keys can be any length and can contain any combination of characters.
Can you use managed identities to access storage accounts instead of access keys?
Yes, you can use managed identities to access storage accounts, which eliminates the need to manage access keys. This approach is recommended for applications running on Azure virtual machines or other Azure services that support managed identities.
The blog on managing access keys is really helpful. Azure Key Vault seems critical for security. Does anyone have a best practice for rotating keys?
Appreciate the blog post, it’s concise and to the point.
Can someone explain how to set up alerts for key expiration in Azure Key Vault?
Has anyone faced issues with service principal access when managing keys?
Great blog! Thanks!
How do I ensure my access keys are not checked into source control?
What kind of permissions are needed for a user to manage keys in Key Vault?
I’ve found the access policy configuration a bit confusing. Any tips?