Description:
The SAS token is the query string that includes all of the information required to authenticate the Shared Access Signature, as well as to specify the Azure Storage service and resource, the permissions required for access, and the time-frame for which the signature is valid.
Rationale:
A shared access signature (SAS) is a URI that grants restricted access rights to Azure Storage resources. A shared access signature can be provided to clients who should not be trusted with the storage account key but for whom it may be necessary to delegate access to certain storage account resources.
Impact:
Providing a shared access signature URI to these clients allows them access to a resource for a specified period of time. This time should be set as low as possible and preferably no longer than an hour.
Default Value:
By default, expiration for shared access signature is set to 8 hours.
Audit:
Sign in to your Azure account.
Go to Storage account
Select the particular storage account,
Click on Shared access signatures blade under the Security+networking section
Under the Start and expiry date/time section, we have the start and expiry of the SAS which can be configured (in this scenario by default the SAS keys expire after 8 hours).
Remediation:
Pre-requisites:
An Azure account.
Azure Storage account
Implementation Steps:
Sign in to your Azure account.
Go to Storage account
Select the particular storage account,
Click on Shared access signatures blade under the Security+networking section
Change the Start and expiry date/time such that the SAS keys expire after 1 hour
Backout plan:
Sign in to your Azure account.
Go to Storage account
Select the particular storage account,
Click on Shared access signatures blade under the Security+networking section
Change the Start and expiry date/time such that the SAS keys expire after the desired number of hour (default is 8 hours)