Revoking Access to Azure Storage Account | AZ-500 Exam Solution

Revoking Access to Azure Storage Account

Question

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure subscription named sub1.

You have an Azure Storage account named sa1 in a resource group named RG1.

Users and applications access the blob service and the file service in sa1 by using several shared access signatures (SASs) and stored access policies.

You discover that unauthorized users accessed both the file service and the blob service.

You need to revoke all access to sa1.

Solution: You create a lock on sa1.

Does this meet the goal?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B.

B

To revoke a stored access policy, you can either delete it, or rename it by changing the signed identifier. Changing the signed identifier breaks the associations between any existing signatures and the stored access policy. Deleting or renaming the stored access policy immediately affects all of the shared access signatures associated with it.

https://docs.microsoft.com/en-us/rest/api/storageservices/Establishing-a-Stored-Access-Policy

No, creating a lock on the Azure Storage account named sa1 will not meet the goal of revoking all access to sa1.

Locks in Azure are used to prevent accidental or unauthorized changes to Azure resources, such as deleting or modifying a resource. A lock can be applied at the subscription, resource group, or resource level. However, applying a lock on a resource does not affect the permissions or access to the resource.

To revoke all access to the Azure Storage account named sa1, you need to perform the following steps:

  1. Revoke all existing shared access signatures (SASs) and delete all stored access policies that provide access to the blob service and file service in sa1.

  2. Ensure that no application or user has access to sa1 by reviewing and updating the access control list (ACL) for the storage account.

  3. Consider enabling Azure Private Link for the storage account to ensure that access is only available over a private endpoint.

  4. Monitor access to the storage account using Azure Monitor and implement alerting to detect any unauthorized access.

Note that revoking access to a storage account can have significant impacts on the applications and services that depend on it. Ensure that you communicate the changes to relevant stakeholders and test the changes before implementing them in a production environment.