If you use account keys or connection strings to access Azure resources, there is a better way!

User Assigned Managed Identities (#UAMI) are more secure and less work to "manage", because you really don't have to maintain them once they are setup.

In this demo we setup connectivity from an #AppService to an Azure #KeyVault and #StorageAccount using UAMI's, showing the .Net code changes required to successfully connect to multiple resources. It isn't difficult!

https://www.youtube.com/watch?v=1W1-1vRRId8

𝐈𝐧𝐭𝐫𝐨𝐝𝐮𝐜𝐢𝐧𝐠 𝐌𝐢𝐜𝐫𝐨𝐬𝐨𝐟𝐭 𝐃𝐞𝐟𝐞𝐧𝐝𝐞𝐫 𝐟𝐨𝐫 𝐂𝐥𝐨𝐮𝐝 𝐋𝐚𝐛𝐬

Our labs project help you get ramped up with Microsoft Defender for Cloud and provide hands-on practical experience for product features, capabilities, and scenarios. The labs are divided into 3 main tracks, a beginner (level 100/200) and an advanced (level 300+) track. The labs contain several modules cover different pillars such as Cloud Security Posture Management (CSPM) to Cloud Workload Protection (CWP). To start using our labs, you will need to create Azure Trial Subscription which provides you all capabilities for 30 days – so you have to finish this lab at this point to take advantage of the free trial.

https://github.com/Azure/Microsoft-Defender-for-Cloud/tree/main/Labs

#defender #defenderforcloud #cnapp #cspm #cwp #cwpp #cloudsecurity #multicloud #azure #aws #gcp #microsoft #microsoftsecurity #soc #server #container #storage #dns #api #devops #database #api #github #arc #agentless #storageaccount #mde #vulnerability #mdvm #siem

𝗛𝗼𝘄 𝘁𝗼 𝘀𝗲𝗰𝘂𝗿𝗲 𝗮 𝗙𝘂𝗻𝗰𝘁𝗶𝗼𝗻 𝗔𝗽𝗽?

𝚂̲𝚎̲𝚌̲𝚞̲𝚛̲𝚎̲ ̲𝚘̲𝚙̲𝚎̲𝚛̲𝚊̲𝚝̲𝚒̲𝚘̲𝚗̲

➡️Defender for Cloud for assessment of potential configuration-related security vulnerabilities

➡️Log and monitor: diagnostic settings to configure streaming export of platform logs and metrics

➡️Require HTTPS

➡️Securing keys with Azure key Vault

➡️Enable App Service Authentication/Authorization

➡️Use Azure API Management (APIM) to authenticate requests

➡️Run your function app with the lowest possible permissions

➡️Store data encrypted

𝚂̲𝚎̲𝚌̲𝚞̲𝚛̲𝚎̲ ̲𝚍̲𝚎̲𝚙̲𝚕̲𝚘̲𝚢̲𝚖̲𝚎̲𝚗̲𝚝̲

➡️Disable FTP

➡️Secure the scm endpoint

𝙽̲𝚎̲𝚝̲𝚠̲𝚘̲𝚛̲𝚔̲ ̲𝚜̲𝚎̲𝚌̲𝚞̲𝚛̲𝚒̲𝚝̲𝚢̲

➡️Set access restrictions

➡️Secure the storage account

➡️Private site access with Azure Private Endpoint

➡️Deploy your function app in isolation configuring a Web Application Firewall (WAF) for App Service Environment.

More details: https://learn.microsoft.com/en-us/azure/azure-functions/security-concepts?tabs=v4

#security #azure #cloud #data #management #streaming #functionapp #serverless #waf #appservice #privateendpoint #networksecurity #securedeployment #apim #ftp #keyvault #key #vulnerability #assessment #misconfiguration #encryption #storage #storageaccount #defender #defenderforcloud #cnapp #cspm #cwpp #microsoft #microsoftsecurity #cloudsecurity #cloudnative #siem #monitoring #soc

So, here is a #PowerShell #ResourceGraph query to list all storage accounts and their #allowSharedKeyAccess settings:

Search-AzGraph -Query "resources | where type =~ 'Microsoft.Storage/storageAccounts' | extend allowSharedKeyAccess = parse_json(properties).allowSharedKeyAccess | project subscriptionId, resourceGroup, name, allowSharedKeyAccess"

#Azure #StorageAccount #SharedKeyAccess

Ref: https://learn.microsoft.com/en-gb/azure/storage/common/shared-key-authorization-prevent