You need to recommend a security solution for containers in Azure Blob storage. The solution must ensure that only read permissions are granted to a specific user for a specific container.
What should you include in the recommendation?
You need to recommend a security solution for containers in Azure Blob storage. The solution must ensure that only read permissions are granted to a specific user for a specific container.
What should you include in the recommendation?
To ensure that only read permissions are granted to a specific user for a specific container in Azure Blob Storage, the most appropriate solution is to use an RBAC role in Azure Active Directory. Role-Based Access Control (RBAC) allows for precise access management and can be scoped to specific users and specific containers. This level of granularity ensures that access rights are limited strictly to designated users. While shared access signatures (SAS) can provide access controls, they are generally meant for temporary or delegated access and are more challenging to manage on a per-user basis compared to RBAC.
Reading this carefully: "granted to a specific user for a specific container." It should be RBAC. SAS is not for a specific user. It is designed to be created and given to ANY authenticated user. On the other hand, RBAC is to authorize the users on the container level.
only if the requirement is to provide access to blob for a specific period of time, sas to be used.
I think RBAC is correct answer. SAS can only grant permissions on whole storage account, not at the container level
I think SAS is correct : A user delegation SAS, introduced with version 2018-11-09. A user delegation SAS is secured with Azure AD credentials. This type of SAS is supported for the Blob service only and can be used to grant access to containers and blobs. For more information, see Create a user delegation SAS.
Agree, option B mentions Roles but SAS user delegation uses users, groups, service principals or managed identities.
Agree, option B mentions Roles but SAS user delegation uses users, groups, service principals or managed identities.
I think so too. Need to pay attention on this "granted to a specific user for a specific container."
I think RBAC is the correct answer too because Azure Storage supports using Azure Active Directory (Azure AD) to authorize requests to Blob and Queue storage. With Azure AD, you can use role-based access control (RBAC) to grant permissions to a security principal, which may be a user, group, or application service principal. The security principal is authenticated by Azure AD to return an OAuth 2.0 token. The token can then be used to authorize a request against Blob or Queue storage. Authorizing requests against Azure Storage with Azure AD provides superior security and ease of use over Shared Key authorization. Microsoft recommends using Azure AD authorization with your blob and queue applications when possible to minimize potential security vulnerabilities inherent in Shared Key. https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad?toc=/azure/storage/blobs/toc.json
SAS can gran permissions even on a folder level. It is not restricted to a storage account level. So, you can set up a connection to the user to only access with reading permissions to an unique container.
SAS IS CORRECT
Both SAS and RBAC are okay for container level. For folder level should be SAS. https://docs.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-access-control
The answer is correct https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview
I don't think the correct answer is SAS, there are three types of SAS: Account-level SAS, Service-level SAS, and user delegation SAS. The last option gives you granular access and works with RBAC instead of the storage account keys, so the SAS and permissions granted to the Azure principal via RBAC must be aligned. The question does not specify a clear option. https://docs.microsoft.com/en-us/rest/api/storageservices/delegate-access-with-shared-access-signature
Answer is B . RBAC . https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad#resource-scope
RBAC provides coarse grain access i.e: at account level. RBAC cannot provide access to specific containers . You will need to do ACL for that. Since, ACL is not an option here , the next best choice becomes SAS. Though , SAS is usually used for temporary time bound access.
Either of Delegation SAS and RBAC can apply for permissions at the container level, the question should be more specific, or options
B. an RBAC role in Azure Active Directory (Azure AD)
Explanation While both SAS and RBAC can achieve this. However user delegated SAS is backed by Azure AD, hence RBAC is a preferred way. Azure Active Directory (Azure AD) authorizes access rights to secured resources through Azure role-based access control (Azure RBAC). Azure Storage defines a set of Azure built-in roles that encompass common sets of permissions used to access blob or queue data. When an Azure role is assigned to an Azure AD security principal, Azure grants access to those resources for that security principal. Access can be scoped to the level of the subscription, the resource group, the storage account, or an individual container or queue. https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad-rbac-portal
There is no such thing as "RBAC role in Azure Active Directory"
Why an RBAC role in Azure Active Directory (Azure AD) is NOT the correct answer?
A user delegation SAS, introduced with version 2018-11-09. A user delegation SAS is secured with Azure AD credentials. This type of SAS is supported for the Blob service only and can be used to grant access to containers and blobs. For more information, see Create a user delegation SAS.
"To get the user delegation key and create the SAS, an Azure AD security principal must be assigned a role-based access control (RBAC) " -> I would say RBAC directly then ? https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview
I think you are right, besides the question start with 'recommend a security solution for containers', maybe SAS works too but RBAC is more secure 'Authorizing requests against Azure Storage with Azure AD provides superior security ...Microsoft recommends using Azure AD authorization with your blob applications when possible to assure access with minimum required privileges.' https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory
Create a user delegation SAS for a container or blob with the Azure CLI https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-user-delegation-sas-create-cli
When your application design requires shared access signatures for access to Blob storage, use Azure AD credentials to create a user delegation SAS when possible for superior security. So SAS is good choice
there is no "a user delegation SAS" in the question.
I would go for B https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad
I think RBAC is correct - because you need to provide access to a specific user for a specific container (using SAS anyone with the URL can access the container)
An RBAC on the container itself would be the easiest way. But option B states 'an RBAC role in Azure Active Directory (Azure AD)'. You don't create the role itself in AD. I therefore think SAS is the only valid option here.
RBAC: Storage Blob Data Owner: Provides full access to Azure Storage blob containers and data, including assigning POSIX access control. To learn which actions are required for a given data operation: https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#storage-blob-data-reader
It is pretty simple sent the SAS to just this user. But we cannot prove if someone else accessed it. In AD if the user is added to a role and then given the role access then we know the role accessed but not if other users are in that role!
and the smart ass did not explain why B is not a correct answer :D