Handling non-existent tags in ABAC conditions for Azure Storage Account

Question

Handling non-existent tags in ABAC conditions for Azure Storage Account

Frank Ma 40

Hello, I've recently turned on on-upload malware scanning for a storage account, and I'm looking to use ABAC to restrict read access from an app service for malicious files. I've set up a condition to allow read access only if the tag with key="Malware Scanning scan result" doesn't contain value="Malicious".

{EC0D136F-B3B4-437F-BCB7-A15459E1322A}

This works perfectly for any newly uploaded files that have been scanned, but older files missing that tag are always restricted. I've tested negating the condition, but this only inverts the logic for the new files, and unscanned files are still always restricted.

I've also tested the following conditions to potentially OR with the malicious file condition, but none were able to permit access:

Value as an empty string
Attribute as "Blob index tags [Keys]" to check for the absence of the tag with key="Malware Scanning scan result"

What are the options for handling this situation, or are there alternative approaches other than ABAC?

Answer accepted by question author

0 additional answers

Your answer

Answer 1

Hi Frank Ma,

Welcome to Microsoft Q&A Forum, thank you for posting your query here!

It sounds like you're doing a great job setting up ABAC for your storage account! I understand the challenge you're facing with older files missing the "Malware Scanning scan result" tag. Here are a few suggestions to handle this situation:

Create a Default Tag for Unscanned Files: You could add a default tag to all files indicating they haven't been scanned yet. For example, you could use a tag like {"Malware Scanning scan result": "Not Scanned"}. This way, you can modify your condition to allow access if the tag is either "Not Scanned" or doesn't contain "Malicious".

Alternative

Azure Function Logic:

The Azure Function can be triggered on two events:

File upload (blob creation): The function checks the file’s scan result and takes action accordingly.
Metadata/tag update: The function triggers after the malware scan result is applied to the blob (by tag or property).

Here's a breakdown of what the Azure Function will do:

Check File Tag/Metadata: The function will first retrieve the blob’s metadata, specifically looking at the tag "Malware Scanning scan result".

If Malicious (Tag = "Malicious"):

Move file to quarantine: The Azure Function can move the file to a separate “quarantine” container where read access is restricted. This can be done programmatically by copying the blob to a new container and deleting the original.
- Deny access: Optionally, the function can alter the access level of the blob (such as removing public access or adjusting permissions).
- Notify admin: You could also trigger notifications (e.g., email or Slack) to inform security teams or admins.
If Clean (Tag ≠ "Malicious"):

Handling Access Control:

You can integrate Azure RBAC or Shared Access Signatures (SAS) to control who can access the blobs:
If a file is clean, the Function can ensure that appropriate roles (e.g., Storage Blob Data Reader) are assigned to the Storage account
If a file is malicious, the Function could revoke access by either removing the role assignment or moving the blob to a restricted container where only admins have access.

Hope this helps!

Kindly let us know if the above helps or you need further assistance on this issue.

Please do not forget to "Accept Answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Frank Ma 40 Reputation points

2024-10-25T10:56:45.3866667+00:00

Hi Ashok, thanks for the answer!

For the default tag approach, is there a way to quickly apply it to all files in the storage account? It contains too many files for this to be done manually.
Anonymous

2024-10-25T17:19:28.5333333+00:00

Hi Frank Ma,

Thanks for let me know

Yes, you can apply default tags across all files in your Azure Storage account programmatically, which is ideal for handling large volumes of data without needing to tag each file manually. Here are several automated methods to apply a default tag to all files in the account:

Azure PowerShell Script

Azure PowerShell is efficient for automating blob operations in bulk. You can use the following script to set a default tag on every blob in a container:

PowerShell

Connect to Azure

Connect-AzAccount

Define parameters

$resourceGroupName = "<YourResourceGroupName>"

$storageAccountName = "<YourStorageAccountName>"

$containerName = "<YourContainerName>"

$tagKey = "<TagKey>"

$tagValue = "<TagValue>"

Get the storage account context

$storageContext = (Get-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName).Context

List all blobs and apply the default tag

$blobs = Get-AzStorageBlob -Container $containerName -Context $storageContext

foreach ($blob in $blobs) {

Set-AzStorageBlobTag -Container $containerName -Blob $blob.Name -Tag @{ $tagKey = $tagValue } Write-Output "Tag applied to $($blob.Name)" }

This script connects to your storage account, retrieves all blobs, and applies the specified tag to each one. Replace the placeholders with your actual values.

If you facing any challenges let me know. Thank you...!
Anonymous

2024-10-28T20:29:40.6133333+00:00

Hi Frank Ma,

Just wanted to recheck whether this issue resolved or else if you need any help, please let us know we will always help as you needed.! if you had chance please review once my previous post. Thank you

Share via

Handling non-existent tags in ABAC conditions for Azure Storage Account

Define parameters

Get the storage account context

List all blobs and apply the default tag

0 additional answers

Your answer