Blob storage

Authentication and authorisation

Azure controls authorisation for Blob storage using Azure Active Directory. For temporary access to Azure Blob storage (that is, for an application or a non-human interaction), use shared access signatures (SAS).

• Authorise access to blobs using Azure Active Directory

• Prevent Shared Key authorisation for an Azure Storage account

• Grant limited access to Azure Storage resources using shared access signatures (SAS)

• Security recommendations for Blob storage

Best practices

• Create an Azure AD group, add users to the AD group, and then grant the required permissions on the target Blob storage to the target AD group.

• Use shared key authorisation (SAS) to allow applications temporary access to Blob storage.

• Grant minimal permissions to Azure Blob storage.

• For data that you need to retain for long periods (due to regulatory requirements), use an immutable Blob storage lock to protect the data from accidental deletion.

Network access

Because Azure Blob storage is a managed service, and located outside the customer’s Virtual Network (VNet). It is important to protect access to the Azure Blob storage service.

• Configure Azure Storage firewalls and virtual networks

• Tutorial: Connect to a storage account using an Azure Private Endpoint

• Require secure transfer to ensure secure connections

• Enforce a minimum required version of Transport Layer Security (TLS) for requests to a storage account

• Azure Storage encryption for data at rest

• Customer-managed keys for Azure Storage encryption

Best practices

• Keep all Azure Blob storage (that is, all tiers) private.

• To secure access from your VNet to the Azure Blob storage, use an Azure private endpoint, which avoids sending network traffic outside your VNet through a secure channel.

• Unforce the use of transport encryption (HTTPS only) for all Azure Blob storage.

• For sensitive environments, require a minimum of TLS version 1.2 for Azure Blob storage.

• Deny default network access to the Azure storage account and only allow access from predefined conditions such as the setting up of IP addresses.

• Encrypt data at rest using Azure Key Vault.

• For sensitive environments (for example, which contain PII, credit card details, healthcare data, and more), encrypt data at rest using customer-managed keys (CMKs) stored inside Azure Key Vault.

Auditing and monitoring

Azure allows you to monitor blob storage using Azure Monitor and Azure Security Center.

• Monitoring Azure Blob storage

• Azure Storage analytics logging

• Log alerts in Azure Monitor

Best practices

• Enable log alerts using the Azure Monitor service to track access to the Azure Blob storage and raise alerts (such as multiple failed access attempts to Blob storage in a short period of time).

• Enable Azure storage logging to audit all authorisation events for access to the Azure Blob storage.

• Log anonymous successful access attempts to locate an unauthorised access attempt to the Azure Blob storage.

• Enable Azure Defender for Storage to receive security alerts in the Azure Security Center console.