none
Storage Account - Dropping Files into Secure Folder? RRS feed

  • Question

  • If we want to replace FTP and put 1000's of files into Azure Storage, where there are many companies, externally uploading those files, that others should not have access too or see those files that are not theirs, how does one secure the "whatever we use in Azure" to do this?

    • Are we creating multiple Storage Accounts? Not finding documentation or examples of this from https://azure.microsoft.com/en-us/services/storage/ or this https://azure.microsoft.com/en-us/services/storage/files/.
    • Firing up a VM and using IIS FTP?
    • Just not going to work.

    FTP is not consider secure anymore for our company.


    Chris


    Thursday, December 5, 2019 1:06 PM

Answers

  • As I understand you need to restrict the access of Azure storage uploaded files and folder from other users am I correct?

    You can also create the folder in Private mode and provide the access to the others in different ways after data is been uploaded. You have also manage access policies 

    If so, you can use Azure Blob and Azure File storage. This article explains authorization access to Azure Storage account.

    You can create one Storage account à  Under that you have different containers/blobs i.e folders and file share/filesync.

    You can also set RBAC roles for blobs and there few Built-in roles.

    Azure provides the following built-in RBAC roles for authorizing access to blob data using Azure AD and OAuth:

    For more information refer to this article

    Storage File Data SMB Share Contributor Allows for read, write, and delete access in Azure Storage file shares over SMB

     Storage File Data SMB Share Elevated Contributor Allows for read, write, delete and modify NTFS permission access in Azure Storage file shares over SMB

     Storage File Data SMB Share Reader Allows for read access to Azure File Share
    Learn more about 
    Azure Storage security guide

    SAS could meet your requirements. With a SAS, you can grant clients access to resources in your storage account, without sharing your account keys. And you could set the interval over which the SAS is valid, and the permissions granted by the SAS. For example, a SAS for a blob might grant read and write permissions to that blob, but not delete permissions.

    You could create SAS pointing to one or more resources and including a token that contains a special set of query parameters.

    Here are two examples about how to use SAS, first SAS examples and create SAS.

    Hope this helps! 

    Kindly let us know if the above helps or you need further assistance on this issue.
    ------------------------------------------------------------------------------------------

    Do click on "Mark as Answer" and Upvote on the post that helps you, this can be beneficial to other community members.

    Friday, December 6, 2019 5:55 AM
    Moderator

All replies

  • As I understand you need to restrict the access of Azure storage uploaded files and folder from other users am I correct?

    You can also create the folder in Private mode and provide the access to the others in different ways after data is been uploaded. You have also manage access policies 

    If so, you can use Azure Blob and Azure File storage. This article explains authorization access to Azure Storage account.

    You can create one Storage account à  Under that you have different containers/blobs i.e folders and file share/filesync.

    You can also set RBAC roles for blobs and there few Built-in roles.

    Azure provides the following built-in RBAC roles for authorizing access to blob data using Azure AD and OAuth:

    For more information refer to this article

    Storage File Data SMB Share Contributor Allows for read, write, and delete access in Azure Storage file shares over SMB

     Storage File Data SMB Share Elevated Contributor Allows for read, write, delete and modify NTFS permission access in Azure Storage file shares over SMB

     Storage File Data SMB Share Reader Allows for read access to Azure File Share
    Learn more about 
    Azure Storage security guide

    SAS could meet your requirements. With a SAS, you can grant clients access to resources in your storage account, without sharing your account keys. And you could set the interval over which the SAS is valid, and the permissions granted by the SAS. For example, a SAS for a blob might grant read and write permissions to that blob, but not delete permissions.

    You could create SAS pointing to one or more resources and including a token that contains a special set of query parameters.

    Here are two examples about how to use SAS, first SAS examples and create SAS.

    Hope this helps! 

    Kindly let us know if the above helps or you need further assistance on this issue.
    ------------------------------------------------------------------------------------------

    Do click on "Mark as Answer" and Upvote on the post that helps you, this can be beneficial to other community members.

    Friday, December 6, 2019 5:55 AM
    Moderator
  • Thanks will look into this.

    Chris

    Friday, December 6, 2019 12:56 PM