Description:

Regenerate storage account access keys periodically.


Rationale:

When a storage account is created, Azure generates two 512-bit storage access keys, which are used for authentication when the storage account is accessed also provide complete access to the storage account. Rotating these keys periodically ensures that any inadvertent access or exposure does not result in these keys being compromised.


Impact:

Regenerating access keys can affect services in Azure as well as the organization's applications that are dependent on the storage account. All clients that use the access key to access the storage account must be updated to use the new key.


Default Value:

By default, access keys are not regenerated periodically.


Audit:

  1. Sign in to your Azure account

  2. Go to Storage Accounts

  3. For each storage account, go to Access Keys under the Secuirty+Networking section

  4. In this scenario, as default, the keys have not rotated from the date it was created.

Remediation:

Pre-requisites:

  1. Azure account.

  2. Azure Storage account within the subscription

Implementation Steps:

  1. Sign in to your Azure account

  2. Go to Storage Accounts

  3. For each storage account, go to Access Keys under the Secuirty+Networking section

  4. Click on Set rotation reminder and check the Enable key rotation reminders and select the number of days you want to notify the rotation reminder, click on Save (Azure Suggest to rotate the access keys for every 90 days).


Note: Unless we manually rotate the keys they can’t be changed so in this policy we are just setting a reminder that notifies us to rotate the keys.

Backout Plan:

  1. Sign in to your Azure account

  2. Go to Storage Accounts

  3. For each storage account, go to Access Keys under the Secuirty+Networking section

  4. Click on Set rotation reminder and uncheck the Enable key rotation reminders (to turn off the notification reminder for rotation).

References: