Data Sources

Data sources available for use by the ICS community

Platforms

ICS supported platforms.

Teams

ICS Teams


Menu Button Menu Button

Resource Group: i2brokeraudit-rg-prod

Overview

The resource group i2brokeraudit-rg-prod houses a set of Azure resources that are designed to manage and store sensitive data securely. This setup primarily utilizes Azure Storage Accounts for data storage and Azure Key Vault for managing keys and secrets. The configuration focuses on ensuring accessibility while maintaining a high level of security for stored secrets and access credentials.

Resources

1. Key Vault

  • Type: Microsoft.KeyVault/vaults
  • Name: i2databroker-prod-kv
  • Location: Central US
  • Properties:
    • Public Network Access: Enabled, allowing access from the public internet.
    • Soft Delete: Enabled with a retention period of 90 days, allowing recovery of deleted secrets.
    • Access Policies: Multiple access policies are defined, allowing specific users and applications to retrieve list and set secrets. Notably, permissions range from basic (Get and List secrets) to comprehensive control over certificates, keys, and secrets.

2. Storage Account

  • Type: Microsoft.Storage/storageAccounts
  • Name: i2brokerauditstorageprod
  • Location: Central US
  • Properties:
    • SKU: Standard Locally Redundant Storage (LRS) with a replication model to provide resiliency.
    • Access Tier: Hot, suitable for scenarios requiring frequent access to data.
    • Network ACLs: Default action set to Allow, which implies no restrictions on access from Azure services or public internet.
    • Public Access: Allowed for blobs, indicating potential exposure to the internet.

3. Secrets within Key Vault

  • Type: Microsoft.KeyVault/vaults/secrets
  • Name: svc-importer-prod-password
  • Depends On: i2databroker-prod-kv
  • Properties:
    • Enabled: True, it ensures the secret can be actively used for applications that require it.

4. Blob Service

  • Type: Microsoft.Storage/storageAccounts/blobServices
  • Name: default (associated with i2brokerauditstorageprod)
  • Depends On: i2brokerauditstorageprod
  • Properties:
    • Change Feed: Enabled, which allows tracking of changes made to the blobs.
    • Versioning: Enabled, allowing recovery of previous versions of blobs.

5. File Service

  • Type: Microsoft.Storage/storageAccounts/fileServices
  • Name: default (associated with i2brokerauditstorageprod)
  • Depends On: i2brokerauditstorageprod
  • Properties:
    • Share Delete Retention Policy: Enabled with a retention of 7 days, providing a grace period for recovery.

6. Queue Service

  • Type: Microsoft.Storage/storageAccounts/queueServices
  • Name: default (associated with i2brokerauditstorageprod)
  • Depends On: i2brokerauditstorageprod
  • Properties:
    • Basic configuration intended to manage queue messages without detailed specificities.

7. Table Service

  • Type: Microsoft.Storage/storageAccounts/tableServices
  • Name: default (associated with i2brokerauditstorageprod)
  • Depends On: i2brokerauditstorageprod
  • Properties:
    • Basic service for managing structured data, allowing data to be stored in a table format.

Data Storage

Data storage within this resource group is primarily facilitated by the storage account i2brokerauditstorageprod. It leverages Blob, File, Queue, and Table services to store various types of data.

  • Blob Storage: Utilized for unstructured data. The change feed and versioning settings enhance data recovery options.
  • File Storage: Used for sharing files and managing file shares.
  • Queue Storage: Manages message queues to decouple application components.
  • Table Storage: Stores structured data; integration may occur through the various Azure services.

Networking

The template does not explicitly define a virtual network or any subnet configurations. However, important points include:

  • Public Network Access for Key Vault: Since public access is enabled, there is a risk of unauthorized access if not properly secured with strong authentication.
  • Network ACLs within Storage Account: While network access is allowed, ensuring that public access to storage blobs is managed is crucial to safeguard sensitive data.

Security Overview

  • Azure Key Vault Security: The access policies defined within the Key Vault should be periodically reviewed to ensure that unnecessary rights are not granted to users or applications. Only grant "Get" and "List" permissions where absolutely necessary.
  • Soft Delete Feature: Leveraging this feature ensures recovery options for deleted secrets, enhancing data recovery strategies.
  • Public Access Configuration: The public access settings in both the Key Vault and Storage Account pose potential vulnerabilities. It is advisable to limit public access and use virtual network rules where feasible to restrict access to trusted networks only.
  • Monitoring and Logging: Implement the monitoring and alerting services to keep track of access and modifications to both Key Vault and Storage accounts.

Other Information

  • Cost Management: Using Hot storage tiers and enabling replication will incur higher costs. Optimize by reviewing data access patterns and applying the appropriate access tiers.
  • Scalability: The architecture allows for scalability as more services can be independently deployed, with minimal impact on existing infrastructure.
  • Compliance Considerations: Ensure that the configurations adhere to organizational compliance and regulatory requirements, particularly related to data protection and access control.

Overall, managing this resource group effectively requires careful attention to its security configurations and periodic reviews of access permissions, public access settings, and proper use of Azure resources to prevent inadvertent data exposure.

Note: This document was generated using the Azure Assistants script and an LLM

Table of Contents

Updated on October 29, 2024