Description:

Azure Storage Accounts use access keys (primary and secondary keys) to authenticate and authorise applications or users. Periodically regenerating these keys reduces the risk of unauthorised access in case keys are leaked, compromised, or overused. Regeneration is a proactive security measure to maintain key hygiene.


Rationale:

Prevents long-term exposure of access keys. Mitigates risks from accidental key leakage (e.g., in code, scripts, or logs). Supports compliance with standards such as CIS, NIST, ISO 27001, and PCI DSS, which require key rotation policies for secrets and credentials.

Reduces the attack surface for malicious actors who may gain access to stale keys.


Default Value:

By default, Azure Storage Account keys are not automatically regenerated.

Manual regeneration or automation via scripts (e.g., Azure CLI, PowerShell, or Azure Key Vault integration) is required.


Pre-requisites:

You must have a role that allows regenerating storage access keys

Application Readiness for Key Rotation


Test Plan:

  1. Log in to the Azure Portal  https://portal.azure.com.

  2. Search for Azure Storage Accounts and select the storage account.

  3. In the storage account’s left-hand menu, under Security + networking, click Access keys.

  4. Check whether the access key has been rotated within the last 90 days.

  5. If not rotated, follow the implementation steps.

Implementation steps:

  1. Log in to the Azure Portal  https://portal.azure.com.

  2. Search for Azure Storage Accounts and select the storage account.

  3. In the storage account’s left-hand menu, scroll down to Security + networking, then click Access keys.

                

  1. You will see key1 and key2. To rotate a key, click Rotate key.

  2. When prompted with Regenerate access key, click Yes to confirm.

           

  1. After regenerating a key, make sure to update any applications or services that use that key with the new value to avoid service disruption.

BackOut Plan:

Note: If you regenerate a key by clicking Rotate key, it is impossible to recover the previous key

Reference: