Configure access control for storage accounts

Practice Test

True or False: The use of shared access signatures (SAS) is a method to grant limited access to objects in your storage account.

• True
• False

Answer: True

Explanation: SAS is a powerful tool for granting limited, timed access to objects in a storage account in a secure manner.

Which Azure feature allows for the configuration of network rules to control access to storage accounts based on IP address or virtual network?

• A. Network Security Group (NSG)
• B. Firewall and virtual network
• C. Azure Active Directory
• D. None of the above

Answer: B. Firewall and virtual network

Explanation: Firewall and virtual network settings in Azure storage accounts is the feature that allows you to configure network rules.

In Azure, can you use Azure Active Directory (Azure AD) to authorize access to blobs and queues?

• A. Yes
• B. No

Answer: A. Yes

Explanation: Azure AD integration provides superior security and ease of use by allowing you to use your Azure role-based access control (RBAC) assignments to authorize access to blob and queue data.

True or False: Azure RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management to Azure resources.

• True
• False

Answer: True

Explanation: Azure RBAC is a feature for providing fine-grained access management to Azure resources including storage accounts.

When it comes to enabling secure transfer from Azure storage, with which of the following services is it not compulsory to use HTTPS?

• A. Blob storage
• B. Azure Files
• C. Queue storage
• D. None of the above

Answer: D. None of the above

Explanation: Secure transfer required enhances the security of all services by only allowing requests to the storage account through a secure connection.

True or False: Using shared keys, an application or a user must have the full rights of the storage account.

• True
• False

Answer: True

Explanation: Shared Key authorization provides clients with full permissions to any resources in your storage account.

What type of key should be used for granting read-only access to a specific blob?

• A. Account SAS
• B. Service SAS
• C. User Delegation SAS
• D. None of the above

Answer: B. Service SAS

Explanation: A service SAS is for granting access to specific resources in a storage account and for specific types of operations.

Which Azure Storage component is not concerned with access control?

• A. Data Lake Storage.
• B. Blob Storage.
• C. Queue Storage.
• D. Cosmos DB.

Answer: D. Cosmos DB

Explanation: Cosmos DB is a database service and not a component of Azure Storage that is concerned with access control.

True or False: Network rules combined with Azure Active Directory (Azure AD) authentication provide dual layers of security for your storage account.

• True
• False

Answer: True

Explanation: Network rules authorize requests originating from specified IP addresses and addresses within chosen subnets, and Azure AD authorize based on identity, giving dual layers of security.

Which of the following is not a way to configure access to Azure blobs?

• A. Using Azure RBAC
• B. Using a firewall
• C. Using access keys
• D. Using a virtual network

Answer: B. Using a firewall

Explanation: Azure blobs can be accessed through Azure RBAC, Access keys, and a Virtual network, but not directly through a firewall.

Interview Questions

How do you control access to storage account data in Microsoft Azure?

You control access to storage account data in Azure by defining Azure role-based access control (Azure RBAC) role assignments, Azure Active Directory (Azure AD), and network rules.

What is Azure role-based access control (Azure RBAC)?

Azure RBAC is a system that provides fine-grained access management of Azure resources. Using Azure RBAC, you can segregate duties within your team and grant only the amount of access to users that they need to perform their jobs.

How do you implement Azure RBAC for a storage account?

To implement Azure RBAC for a storage account, you need to create a new role assignment. This involves selecting the appropriate role and the user, group, service principle, or managed identity to assign the role to.

What is the purpose of Azure Active Directory (Azure AD) in managing access to storage accounts?

Azure AD provides secure, enterprise-grade identity and access management for Azure storage accounts. It enables you to control access to your storage accounts and secure your data by allowing you to authenticate and authorize users and applications.

What are network rules in the context of Azure storage accounts?

Network rules in Azure storage accounts allow or deny access to the storage account based on the IP address or range of the request.

What are the steps to configure network rules for a storage account?

To configure network rules for a storage account, follow these steps:

a. In the Azure portal, go to the storage account you wish to secure.

b. Under the settings section, click on ‘Firewalls and virtual networks’.

c. Select the appropriate rule type and configure as required.

What is the role of “Storage Blob Data Owner” in Azure RBAC?

The role of “Storage Blob Data Owner” in Azure RBAC allows for data management in Azure Blob Storage – this includes granting read/write/delete permissions to Blob Storage resources.

What happens if no network rule matches the source IP address of a request to store data?

If no network rule matches the source IP address of a request, the request is denied by default.

Can I combine both network rules and Azure AD for access control?

Yes, you can combine network rules and Azure AD for more enhanced access control. This allows you to filter requests from specific networks and only allow authenticated requests.

How can I verify the access control settings for my Azure Storage account?

You can verify the access control settings through Azure Portal by selecting your storage account and reviewing the settings under the ‘Firewalls and virtual networks’ section.

Can I assign more than one role to a single user in Azure RBAC?

Yes, you can assign multiple roles to a single user in Azure RBAC, giving them more than one set of permissions.

Does Azure provide any built-in roles for controlling access to storage accounts?

Yes, Azure provides several built-in roles for controlling access to storage accounts. These include roles like Storage Account Contributor, Storage Blob Data Owner, Storage Blob Data Contributor, etc.

How can I share access to my storage account securely with a third party?

You can securely share access to your storage account with a third party by creating a shared access signature (SAS) which provides secure, delegated access to resources in your storage account.

What is the advantage of using Azure AD for access control instead of Shared Key?

Using Azure AD for access control provides an enhanced level of security as it allows for per-user authentication and authorization. It also supports Azure AD Conditional Access policies, enabling further security measures.

What does the principal in Azure RBAC refer to?

The principal in Azure RBAC refers to the entity being given access to resources. A principal could be anything that an Azure AD directory object such as a user, group, service principal, or managed identity.