Microsoft Azure pros share their thoughts on Service Bus encryption, Container Registry, container image scans and working with Linux CentOS.
Encrypting Azure Service Bus with user keys
On the Serverless360 Blog, Ranjith Eswaran described how to encrypt Azure Service Bus data both at rest and in-transit to safeguard sensitive information. For the most part, Microsoft data centers already encrypt data to safeguard it in storage. But on the customer’s end, it’s important to keep in mind that this data is only as secure as the keys kept in Identity Based Access Control, often with different keys depending on the number of partitions which the data is shared between. The Key Encryption Key feature in Key Vault helps to restrict access further.
According to Eswaran, a key hierarchy is used for encryption at rest, with the AES256 key typically used to encrypt a block of data or the contents of a partition. Some organizations conduct custom encryption for Service Bus messages, but this comes with the challenges of decrypting when the message is received. As an alternative, Azure’s Bring Your Own Key can hasten decryption. For the time being, custom keys are only supported in Premium namespaces.
Understanding tokens and scope maps for Container Registry
Tobias Zimmergren discussed fine-grained permissions for Azure Container Registry (ACR), with options like token and scope map. Historically, ACR took an “all or nothing” approach to granting permissions to outside developers needing access to internal systems, potentially creating vulnerabilities by revealing too many sensitive registries.
According to Zimmergren, scope map doesn’t define access to specific actions, but rather associates permissions from a token to one or more repositories. Tokens by contrast can generate passwords used to access repos. Their great advantage is that they are easy to shut down and allow for specific actions. He shared basic commands to work with these permissions but warned fellow users that as of now, these remain in-preview.
Viewing container image scans
Daniel Neumann, writing on Daniel’s Tech Blog, followed up on a recent look at how to connect Container Registries with Security Center, turning his attention to pulling scan results with Resource Graph rather than Security Center. Users are able to query against Resource Graph with Azure portal, CLI, REST API or Azure PowerShell.
In his demo, Neumann used CLI to get an overview, pulling assessment key and severity level data. He wrote:
Running one more query with the assessment key on another table shows the interesting details about the issue, the corresponding CVE number as well information about the remediation.
Beside that you get the name of the affected container image repository with the image digest. The queries…can be integrated into an Azure Workbook. So, you get again a graphical UI in the Azure portal.
Changing the size of Azure Linux CentOS VM disks
A contributor to Cloud and DevOps Blog explored what’s involved in increasing the size of Linux CentOS Azure VM disk sizes. In its default settings, an Azure Linux VM has a 30 GB OS disk size. First of all, users need to stop the VM and navigate to the OS disk, manually altering the size up to 35 GB. With its new larger capacity, the disk can be restarted.
After connecting with SSH, a simple four-character command is used to check the current size of the disk. A similar command helps to check the size of all disks and partitions on the VM.