Catégorie : Azure

Private Endpoint support for Malware Scanning in Defender for Storage

Hi!

I wanted to inform you that Private Endpoint support is now available as part of the Malware Scanning public preview in Defender for Storage. If you’re unfamiliar with the Malware Scanning feature in Defender for Storage, I highly recommend reading this informative blog post.

This exciting capability allows you to enable Malware Scanning on storage accounts that utilize private endpoints. By leveraging private endpoints, you can establish secure connectivity to your Azure Storage services, effectively eliminating any exposure to the public internet. This security measure aligns with the best practices for safeguarding your data.

If you already have Malware Scanning enabled on storage accounts with private endpoints, it’s important to note that you will need to disable and re-enable the plan with Malware Scanning for this new feature to work seamlessly.

Maxime.

AKS | Operation Abort

Hi!

AKS now supports aborting a long running operation. The abort operation supports the following scenarios:

  • If a long running operation is stuck or suspected to be in a bad state or failing, the operation can be aborted provided it’s the last running operation on the Managed Cluster or agent pool.
  • If a long running operation is stuck or failing, that operation can be aborted.
  • An operation that was triggered in error can be aborted as long as the operation doesn’t reach a terminal state first.

The following example terminates an operation on a node pool on a specified cluster:

az aks nodepool operation-abort --resource-group myResourceGroup --cluster-name myAKSCluster --name myNodePool

The following example terminates an operation on a specified cluster:

az aks operation-abort --name myAKSCluster --resource-group myResourceGroup

Reference: https://learn.microsoft.com/en-us/azure/aks/manage-abort-operations

Maxime.

AKV | Access Configuration Update

Hi!

Azure Key Vault offers two authorization systems: Azure role-based access control (Azure RBAC), which operates on the management plane, and the access policy model, which operates on both the management plane and the data plane.

  • Azure RBAC is built on Azure Resource Manager and provides fine-grained access management of Azure resources. With Azure RBAC you control access to resources by creating role assignments, which consist of three elements: a security principal, a role definition (predefined set of permissions), and a scope (group of resources or individual resource). 
  • The access policy model, on the other hand, is an existing authorization system built in Key Vault to provide access to keys, secrets, and certificates. You can control access by assigning individual permissions to security principals (user, group, service principal, managed identity) at Key Vault scope.

Azure RBAC offers several advantages over access policies

  • A unified access control model for Azure resource– it uses the same API across Azure services
  • Centralized access management for administrators – manage all Azure resources in one view
  • Integration with Privileged Identity Management for time-based access control
  • Deny assignments – ability to exclude security principals at a particular scope
  • More stringent permissions — managing access for users and service principals require Owner or User Access Administrator roles

Azure RBAC is now the recommended authorization system for the Azure Key Vault data plane.

Maxime.