You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/storage/common/shared-key-authorization-prevent.md
+7-8Lines changed: 7 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -20,7 +20,9 @@ Every secure request to an Azure Storage account must be authorized. By default,
20
20
21
21
When you disallow Shared Key authorization for a storage account, Azure Storage rejects all subsequent requests to that account that are authorized with the account access keys. Only secured requests that are authorized with Azure AD will succeed. For more information about using Azure AD, see [Authorize access to data in Azure Storage](authorize-data-access.md).
22
22
23
-
This article describes how to detect requests sent with Shared Key authorization and how to remediate Shared Key authorization for your storage account.
23
+
The **AllowSharedKeyAccess** property of a storage account is not set by default and does not return a value until you explicitly set it. The storage account permits requests that are authorized with Shared Key when the property value is **null** or when it is **true**.
24
+
25
+
This article describes how to use a DRAG (Detection-Remediation-Audit-Governance) framework to continuously manage Shared Key authorization for your storage account.
24
26
25
27
## Prerequisites
26
28
@@ -122,10 +124,9 @@ Follow these steps to assign the built-in policy for the appropriate scope in th
122
124
123
125
1. On the **Review + create** tab, review the policy assignment then select **Create** to assign the policy definition to the specified scope.
124
126
125
-
> [!NOTE]
126
-
> The default settings on the remaining tabs are sufficient for the purpose of assigning the policy in audit mode:
127
+
The default settings on the remaining tabs are sufficient for the purpose of assigning the policy in audit mode:
127
128
128
-
#### Monitor compliance with the Shared Key access policy
129
+
#### Monitor compliance with the policy
129
130
130
131
To monitor your storage accounts for compliance with the Shared Key access policy, follow these steps:
131
132
@@ -229,8 +230,6 @@ After you have analyzed how requests to your storage account are being authorize
229
230
230
231
When you are confident that you can safely reject requests that are authorized with Shared Key, you can set the **AllowSharedKeyAccess** property for the storage account to **false**.
231
232
232
-
The **AllowSharedKeyAccess** property is not set by default and does not return a value until you explicitly set it. The storage account permits requests that are authorized with Shared Key when the property value is **null** or when it is **true**.
233
-
234
233
> [!WARNING]
235
234
> If any clients are currently accessing data in your storage account with Shared Key, then Microsoft recommends that you migrate those clients to Azure AD before disallowing Shared Key access to the storage account.
236
235
@@ -313,9 +312,9 @@ az storage container create \
313
312
314
313
## Monitor the Azure Policy for compliance
315
314
316
-
Continue to [monitor the policy](#monitor-compliance-with-the-shared-key-access-policy) you created earlier for ongoing compliance.
315
+
Continue to [monitor the policy](#monitor-compliance-with-the-policy) you created earlier for ongoing compliance.
317
316
318
-
## Update the Azure Policy assignment to prevent allowing Shared Key access
To begin enforcing [the Azure Policy assignment you previously created](#configure-the-azure-policy-for-shared-key-access-in-audit-mode) for policy **Storage accounts should prevent shared key access**, change the effect of the policy assignment to deny to allow Shared Key access on storage accounts. To change the effect of the policy, perform the following steps:
0 commit comments