L13. Storage Account Security
Course outlineLesson 13 of 18
Storage Account security covers SAS tokens, the storage firewall, encryption at rest, and Defender for Storage. The AZ-500 tests all four areas: know the SAS types, what the firewall does and does not block, and how CMK differs from Microsoft-managed keys.
Shared Access Signatures (SAS)
A SAS token grants time-limited, scoped access to storage resources without sharing the account key.
| SAS Type | Scope | Revocation |
|---|---|---|
| Account SAS | Entire storage account | Delete/rotate account key |
| Service SAS | Specific service (Blob, Queue, etc.) | Delete/rotate account key |
| User Delegation SAS | Blob/Data Lake | Revoke the Entra user's key via API |
Storage Firewall
The storage firewall restricts access to specific VNets (via Service Endpoints) and IP ranges. Key behaviours:
- "Allow trusted Microsoft services" exception: Enables Azure services like Backup, Event Grid, and Azure Monitor to bypass the firewall even when all public access is restricted.
- Setting "Disable public network access" blocks everything including Service Endpoint traffic: only Private Endpoint traffic is allowed.
Encryption
All data in Azure Storage is encrypted at rest using AES-256 by default (Microsoft-managed keys). For regulatory requirements:
- Customer-Managed Keys (CMK): Your key in Key Vault encrypts the storage account's data encryption key. You control rotation and can revoke access.
- Customer-Provided Keys: You send an encryption key on each request: the key is not stored by Azure.
Defender for Storage
Defender for Storage detects: unusual access patterns, anonymous access to containers, hash reputation analysis for uploaded files, malware scanning (preview). Enable per storage account or per subscription.
- ✓User Delegation SAS is signed with Entra credentials: most secure, revocable without rotating the account key
- ✓"Allow trusted Microsoft services" exception lets Azure Monitor, Backup, and Event Grid bypass the firewall
- ✓"Disable public network access" blocks even Service Endpoint traffic: only Private Endpoints bypass it
- ✓CMK: your Key Vault key encrypts the storage encryption key. Revoking the key makes data inaccessible
- ✓Defender for Storage detects unusual access patterns, anonymous container access, and malware in uploads
1. Which SAS token type provides the most granular, revocable access control for a storage account?
2. Microsoft Defender for Storage detects which of the following threats?
3. A storage account has 'Allow storage account key access' disabled. What is the impact?
Recommended: Pluralsight
This free course covers the theory. Pluralsight adds structured video courses, hands-on Azure labs, and timed practice exams to make it stick before exam day.