DEV Community

1suleyman
1suleyman

Posted on

Exercise 05: Secure Azure Storage for a New Company App

#azure #cloud #beginners #documentation

In this lab, I explored how to provide secure, controlled, and compliant Azure storage for a new company application. The devs needed full control over how the storage was accessed β€” only via keys and managed identities, with role-based access control (RBAC), customer-managed encryption, and immutable blob retention policies for compliance and testing.

Let’s get into the details.

πŸ” Scenario

The company is developing a new app and wanted the backing storage to be secure and compliant:

  • πŸ”‘ Access only via keys and user-assigned managed identities
  • πŸ” Encryption must use a customer-managed key (CMK) stored in Key Vault
  • πŸ”’ Test files need to be locked down with time-based retention
  • 🧱 Files should be stored under an encryption scope with infrastructure encryption

πŸ› οΈ Skilling Tasks

  • βœ… Create a storage account with infrastructure encryption
  • βœ… Create a user-assigned managed identity and assign RBAC
  • βœ… Secure access with Azure Key Vault and a customer-managed key
  • βœ… Enable immutable blob policies for file retention
  • βœ… Create an encryption scope with infrastructure encryption

πŸ”Ή Step 1: Create the Storage Account and Managed Identity

I started by creating a new resource group: storagerg2.

Then, I created a Storage Account named az104bobstg2 with:

  • Infrastructure encryption enabled (extra layer of encryption)
  • Review + Create > βœ… Passed validation > Created successfully

Next, I needed a user-assigned managed identity for the app:

  • Searched for Managed identities
  • Created one named managedbob in storagerg2

πŸ” After that, I granted the identity Storage Blob Data Reader permissions:

  1. Went to the IAM tab of my storage account
  2. Added the role to managedbob
  3. Verified RBAC was assigned correctly

πŸ”’ Step 2: Secure Access with Azure Key Vault and CMK

I needed a Key Vault to store the customer-managed encryption key:

  1. Created a Key Vault called keyvaultbob in the same RG
  2. Ensured Azure RBAC was selected
  3. Ensured Purge protection was enabled (critical for CMK use)

Got an error initially:

❌ β€œOperation not allowed by RBAC”

βœ… Fixed it by assigning myself the Key Vault Administrator role in IAM.

Then, I generated a key named bobkey.

πŸ’‘ Note: You must enable Soft Delete and Purge Protection on the vault for customer-managed keys to work β€” I hit this roadblock too!

πŸ” Step 3: Configure the Storage Account to Use the Customer-Managed Key

Before assigning the key:

  • I assigned the Key Vault Crypto Service Encryption User role to managedbob (via IAM in the RG).

Then, back in the Encryption blade of the storage account:

  1. Selected Customer-managed keys
  2. Pointed to my Key Vault and selected bobkey
  3. Set the identity type to User-assigned, and selected managedbob
  4. Saved changes β€” success!

πŸ”‘ Now my storage account uses my Key Vault key to encrypt its contents.

🧷 Step 4: Configure Time-Based Retention (Immutable Blob Policy)

To lock files for compliance testing, I enabled time-based immutability:

  1. Created a new container called hold
  2. Uploaded a test file
  3. Opened the Access policy blade and added a Time-based retention policy for 5 days
  4. Saved the policy

Then, I tested it by trying to delete the file...

❌ Result: β€œFailed to delete blobs due to policy” β€” exactly what I wanted!

🧊 Step 5: Create an Encryption Scope with Infrastructure Encryption

For more control, I created a scoped encryption option:

  1. In Encryption > Encryption scopes, I clicked Add
  2. Named it encryptionbob
  3. Set the encryption type to Microsoft-managed key
  4. Enabled Infrastructure encryption
  5. Created the scope

When creating a new container, I could now assign encryptionbob as the encryption scope under the Advanced section.

βœ… This means files in this container get encrypted using a defined scope, while the overall account still uses CMK.

🧹 Cleanup Tip

If you're doing this in your own subscription, remember to delete the resource group to avoid unwanted costs:

az group delete --name storagerg2
Enter fullscreen mode Exit fullscreen mode

🧠 Key Takeaways

This was a super valuable exercise in securing and customizing storage for enterprise-grade apps.

Here’s what I walked away with:

  • RBAC + Managed Identities gives granular, secure access control
  • Customer-Managed Keys (CMK) lets me bring my own encryption keys using Key Vault
  • Immutable blob policies ensure compliance and protect against tampering or deletion
  • Encryption scopes offer scoped, fine-grained encryption with optional infrastructure encryption

🎯 If you're building apps that need serious compliance, this setup is exactly how you'd secure your storage. The combo of encryption, role-based access, and immutability covers all the bases.

On to the next one! πŸ’ͺ

Top comments (0)