Tracking file access time in Azure Storage

PS 396 Reputation points
2024-05-21T14:22:55.8666667+00:00

All,

I will be providing storage access (Account Kind - StorageV2, general purpose v2) to an external vendor using an SAS Token. I want to track and capture when the files are accessed by the external vendor. Is there a way to achieve this, either through a custom solution or an out-of-the-box feature from Azure?

Any advice would be appreciated. Thank you.

Thank you!

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,836 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,562 questions
0 comments No comments
{count} votes

Accepted answer
  1. Amrinder Singh 3,795 Reputation points Microsoft Employee
    2024-05-21T14:35:14.3633333+00:00

    Hi PS - Thanks for reaching out.

    In general, if you want to track the last access time of the blob, you can enable the last access time tracking feature on the account level.

    https://learn.microsoft.com/en-us/azure/storage/blobs/lifecycle-management-policy-configure?tabs=azure-portal#optionally-enable-access-time-tracking

    Once enabled, and you try to check the properties, this shall provide you the last access time of the blob.

    Moving ahead, in order to track operation on the storage account, you can rely on the storage diagnostic logging. Since you will be using the SAS token, it won't be logging any user specific details and only log SAS as the authentication scheme. You can narrow down the search based on user agent, client IP and request URL (blob name).

    https://learn.microsoft.com/en-us/azure/storage/blobs/monitor-blob-storage?tabs=azure-portal

    https://learn.microsoft.com/en-us/azure/storage/blobs/blob-storage-monitoring-scenarios

    Below is the sample blog for refence on the concept basis. You can implement the same with newer diagnostic logging as well.

    https://techcommunity.microsoft.com/t5/azure-paas-blog/leveraging-storage-analytics-logs-to-analyze-who-accessed-the/ba-p/2173539

    Hope this answer helps! Please let us know if you have any further queries. I’m happy to assist you further.


    Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.


1 additional answer

Sort by: Most helpful
  1. TP 82,241 Reputation points
    2024-05-21T15:15:46.35+00:00

    Hi,

    Yes, you can do this using a combination of User delegation SAS and diagnostic logging. By using a user delegation SAS instead of Account key SAS you will be able to query the log to see that the vendor downloaded along with date/time, since their corresponding principal id will be in each entry.

    I would need to know a little bit more of how you prefer the process to work for generating the SAS key before giving precise steps. For example, do you want to generate the SAS key on your end and send it to the vendor via some method? Or would you like vendor to sign-in to a web page, and then generate SAS and download file themselves? The second method is more secure.

    -TP