An Azure storage account: contains all of your Azure Storage data objects: blobs, files, queues, and tables. The storage account provides a unique namespace for your Azure Storage data that is accessible from anywhere in the world over HTTP or HTTPS.It’s essential to note that the storage account designated for the internal team should be configured as a private storage account.
I would like to attached the pictorial representation of what we are going to do in this article before we begin on the steps.
Step A **
**Create a storage account for the web app and managed identity.
1.Go to Azure portal, in the 'search resources field',search for storage accounts, and click on the grayed "storage account".Click on the 'Create' button.
2.After clicking on the 'Create button",wait for it, fill in the 'Project details' -choose your subscription and create a resource group.
3.In the 'Instance detail',- we have storage account name, Region, Performance, Redundancy but in this task we are only going to choose the storage account name and the region .Then go to the Encryption tab,' Check' on the Enable infrastructure encryption.Ignore the warnings as instructed in the task.Then click on 'Review+Create'.
4.Click on 'Create' then wait for the deployment ,it takes a couple of mins
5.After the deployment is complete,Click on 'Go to Resource'
Provide a managed identity for the web app.
1.Go to home ,click on the resource search and search for 'Managed Identity',then click on the grayed 'managed identity' ,then click on 'Create managed identity',then wait
2.Choose the subscription and the resource group in 'project details' under Basics.
3.In the instance details choose the name and the region.
4.Click on 'Create+Review' button
5.Click on 'Create' to create the managed identity.
6.Wait for the deployment in progress, when the deployment is complete, click on 'Go to resource'
Assign the correct permission to the managed identity.The identity only needs to read and list the container and blobs.
1.Search and select your 'storage account', select 'Access Control (IAM), click on 'we add role assignment', then on the job function roles, select storage blob data reader, then click on "Next' button.
- On the member page .select the 'Managed identity' click on the 'select members',click on the user assigned manage identity and search for the managed identity the you created.
3.Click on 'Select',then click on the managed identity, then 'Review+Assign',then wait for Add role assignment
**Secure access the storage account with the key vault and the **key
To create the key vault and the key needed for this part of the lab, your user account must have key vault administrator permission.
1.In the search portal ,search and click on the resource group, click on the 'Access control',click on the 'Add role assignment ' and choose key vault administrator as the job function role, then click on 'Next'.
2.On the member page select the 'user group or service principal',then click 'Select member' and choose your user account at the top right of the portal and click on 'Select'.Click 'Review+ assign'
4.Click on the User assigned account and click on 'Review+assign' ,then there will be addition of role assignment.
Create a Vault key to store the access keys
1.In the portal, search for 'Key Vault',select it and click on it.Click on 'Create Vault key'.
2.Choose your resource group in 'project details' under the Basics.
3.choose your key vault name and region in the 'Instance details' under the Basics.
4.Ensure the access the configuration is 'Checked' on Azure role based access control, then 'Review+Create'.
5.Click on 'Create",it will initialise, wait for the deployment to complete and click on 'Go the resources'.Ensure the soft delete and purge protection is enabled.
Create a customer manage key in the key vault
In your key vault, in the objects section ,select the key blade, click on the 'Generate/import and name the key.Click on 'Create'
Configure the storage account to use the customer managed key in the key vault
Before you complete this step ,you must assign the key vault crypto services Encryption user role to the managed identity.
1.In the portal search for resource group, select the 'resource group', your resource group, then your Access control(IAM)blade, select the 'Add role assignment',on the Job function role ,choose the 'key vault crypto service encryption user role'.Click on 'Next'.
2.On the member page select 'Managed identity',click on 'Select members, choose user assigned managed identity on the drop down in managed identity.Select your name, and click on 'Select'.
3.Click on the your created managed identity, then click on 'Review+assign' ,Click 'Review+assign the second time for added role assignment.
Configure the storage account to use the customer managed key in your key vault
1.Return to your storage account, in the 'security+networking' section, select the 'Encryption' blade, select the 'Customer managed keys'.Select the 'Key vault and keys' and click on key vault and keys.Then click on 'Select'.
2.make sure the identity type is in 'User assigned',click on 'Select identity' to select user assigned managed identity, click 'Add' then saved.
Configure time - based retention policy and encryption scope
1.Navigate to the storage account, in the 'Data storage' section ,select the container blade.Create a container called hold.Take the defaults.Be sure to create a container.Upload a file to the container.
2.In the setting section, select the 'Access policy' blade.
- In the Immutable blob storage section, select 'Add policy',choose time based-retention policy.Set the retention period for 5 days and save.
4.Try to delete the file in the container, verify you are notified failed to delete blobs due to policy.
The developers require an encryption scope that enables infrastructure encryption.
1.Navigate back to your storage account, in the 'security+networking' blade, select encryption, in the encryption scope, select 'Add and give your encryption scope a name.while creating the encryption scope name, leave encrypting type in 'Microsoft managed keys' and 'Infrastructure encryption 'Enabled'.Click on 'Create'.
2.Return to the storage account and create new container.
11
Top comments (0)