██FR█████ █INTELL███████████

Guidelines on Providing Storage for a New Company App Part 2


This content originally appeared on DEV Community and was authored by Anene Emmanuel Anyibuofu

CONFIGURE THE STORAGE ACCOUNT TO USE A CUSTOMER-MANAGED KEY STORED IN THE KEY VAULT.

  1. Before continuing, make sure to assign the Key Vault Crypto Service Encryption User role to the managed identity.

A: In the Azure portal, search for Resource groups and select it from the results.

B. Select your Resource Group that you have been operating on (RG1)

C. On the Resource Group page(RG1)

  1. Go to the Access Control (IAM) blade.
  2. Click on + Add
  3. Select Add role assignment

D. Now on the Role page,

  1. Click on the Job functions roles page,
  2. Search for the Key Vault Crypto Service Encryption User role
  3. Select the search result.(Key Vault Crypto Service Encryption User role)
  4. Then click Next

E. On the Member page,

  1. Click on Managed Identity.
  2. Click on + Select Members.
  3. On the Drop-down on right-hand-side select User-assigned managed identity.
  4. Click on your Managed Identity
  5. Click on Select.

F. Click on Review + assign tab and then click on Review + assign

ROLE ASSIGNED.

  1. Configure the storage account to use the customer-managed key in your Key Vault.

A. Go to your Storage Account (storageacct2demo1).

B. On the Storage Account page (storageacct2demo1)

  1. Click on Security + Networking on the drop-down,
  2. Select the Encryption blade
  3. On the Encryption page select Customer-managed keys
  4. And then click on Select a key vault and key

C. On Select a Key page,

  1. Check click on Key Vault
  2. Select your Key Vault(keyvault1demo1)
  3. Select you Key(New-App-Key-Demo)
  4. Click on Select

D. Make sure that Identity Type is User-assigned

E. On User-assigned identity

  1. Click on Select an identity
  2. On the drop-down, select your User-assigned managed identity(demo)
  3. Click on Add,
  4. And then Save.

ROLE ADDED ASSIGNMENT.

SETTING A TIME-BASED RETENTION POLICY AND DEFINING AN ENCRYPTION SCOPE.

1.The developers need a storage container where files cannot be modified not even by an administrator.

A. Go to your storage account(storageacct2demo1).

B. On the Storage Account page,

  1. Click on Data Storage, on the drop-down,
  2. Click on the Container blade
  3. Click on + Add Container to create a container
  4. Give you Container a name (new-container-demo),
  5. And then click on Create

D. Upload a file to your Container

  1. Click on Upload.
  2. Click on Browse for Files to select a file from your computer.
  3. And then click on Upload

D. Click on Settings,

  1. On the drop-down, select Access Policy
  2. On Immutable blob storage section, click on + Add Policy

E. On Immutable Storage policy.

  1. Click on the Policy type and select Time-based Retention on the drop-down.
  2. Set Retention Period for 5 days
  3. And make sure you click on SAVE after setting this.

  1. The developers need to create an encryption scope that enables infrastructure encryption.

A. Go back to your Storage Account (storageacct2demo1).

B. On the Storage Account page.

  1. Click on Security + Networking,
  2. And select Encryption.

C. On the Encryption page.

  1. Click on the Encryption Scopes tab
  2. Click on + Add

D. On the Create Encryption Scope page,

  1. Give you Encryption Scope a name (EncryptionScopeDemo)
  2. Set Encryption type as Microsoft-managed keys.
  3. The Infrastructure Encryption is Enabled by default.
  4. Click on Create to create the Encryption Scope

ENCRYPTION SCOPE NAME CREATED SUCCESSFULLY

E. Go back your Storage Account and Create a new Container

  1. Click on Data Storage, on the drop-down,
  2. Click on the Container blade
  3. Click on + Add Container to create a container

F. On the New Container page, you’ll see fields for the container Name and Public access level. In the Advanced section, you can choose the encryption scope you created and apply it to all blobs within the container.

UP AND RUNNING

Final Thoughts

And that is a wrap on this storage setup project! If you have followed along, you now have a clear path to building secure, reliable storage for your app from using customer-managed keys and Key Vault to setting retention policies and encryption scopes that help keep your data safe.

I hope this guide makes it a little easier to tackle these tasks without feeling overwhelmed. Cloud storage can be tricky, but breaking it down step by step makes a huge difference.

Thanks so much for reading I really appreciate you taking the time to follow along. If you found this helpful, feel free to share it or drop a comment I’d love to hear how you’re putting this into practice or what you’d like to learn next.

See you in the next one! 👋


This content originally appeared on DEV Community and was authored by Anene Emmanuel Anyibuofu