FAQ Series_101 — Azure Data Lake Store Gen2 (ADLS Gen2)
In this post I will try to cover the security control FAQ for Azure Data Lake Gen2(ADLS Gen2)
- How do I setup Authentication for ADLS Gen2?
ADLS Gen2 supports 3 Authentication types -
1. Key based
3. Using Azure Active Directory
2. How do I setup Authorization in ADLS Gen2?
I. Using Coarse Grained Access Control using Roles e.g. Azure Blob Reader, Azure Blob Contributor / Owner.
II. Using SAS Key — Specify permissions on Service, Container or Object while creating SAS key
III. Using ACLs on Folders / Objects — Using posix based access control list
3. How to prevent anonymous access to the container?
By default anonymous access is prohibited. But It can be configured in portal
4. Is it possible to allow time bound access to users?
Yes, Please use SAS keys that allows access to specific account / container based on specified time period. You can also specify the recommended upper limit for SAS created for given storage account using ‘Configuration Blade’ refer this
5. Is it possible to provide read-only access to Blob without using SAS keys ?
Yes, Users can be authenticated using AAD and Authorized using ACLs provided on individual files / directories as mentioned here
6. Is it possible to restrict users from downloading files without using SAS keys ?
Yes, Please refer ACLs
7. How to protect my container or Data from accidental deletion?
Enable soft delete for blob or for container which can keep the accidentally deleted data for 7 days default. Default retention days can be changed. Refer more details here
8. Is there a version control available for ADLS Gen2 account?
No, Version control is not available for ADLS Gen2 accounts at the time of writing this FAQ
9.Is it possible to Encrypt data at rest and during transit?
Yes, ADLS Gen2 APIs uses Transport Layer Security (TLS 1.2) during transit and encryption at rest using either Microsoft or Customer managed keys. It also allows infrastructure encryption hence the double encryption of the data.
10. Can I access Storage / ADLS Gen2 using Private Endpoint?
Yes. Please refer this link for configuring private endpoint and disabling internet access to your storage account
11. Is it possible to restrict access to ADLS Gen2 from specific network?
Yes, Please choose selected network option from “Firewall and virtual network” option from Networking blade. You can also specify IP range for restricting access
12. How do I protect my storage account from malicious attacks?
Use Azure defender which can detect unusual and harmful attempts to access or exploit your storage accounts. Please refer this link on how to configure defender for Azure Storage
13. What Operations are analyzed by Azure Defender?
Azure defender analyzes various Azure Storage operation types Get Blob, Put Blob, Get Container ACL, List Blobs, and Get Blob Properties. Examples of analyzed Azure File operation types include Get File, Create File, List Files, Get File Properties, and Put Range.
14. Can I configure an alert in case of malicious attacks on my Storage?
Yes. You can configure various alert events as mentioned here, e.g.-
I. Access from a suspicious application
II. Access from a suspicious IP address
III. Phishing content hosted on a storage account
IV. Storage account identified as source for distribution of malware
V. Storage account with potentially sensitive data has been detected with a publicly exposed container etc.
15. Is it possible to audit the access to my Storage?
Yes, Please enable diagnostic logging which allows various audit events to be recorded in the storage of your choice e.g. Event Hubs or Log Analytics Workspace. It provides diagnostics for User Details (IP), Authorization, read, write and Transaction done on Azure Storage.
Refer this
16. Is it possible to generate alerts on egress / number of transactions / Capacity?
Yes, Please use Alerts tab present Storage
17. What configurations are required in on-premise firewall or proxy to access Azure Storage using Storage explorer ?
Please refer this link for list of URLs and ports to be allowed in on-premise firewall or proxy
Note: Feedback is always Welcome :-)