Description:

A Shared Access Signature (SAS) is a secure URL that grants temporary, limited access to Azure Storage resources (like blobs, files, or queues) without exposing the storage account keys. This control ensures that SAS tokens are configured to expire quickly, within 1 hour, minimising the risk of misuse if the token is leaked or intercepted.


Rationale:

Reduces exposure risk: SAS tokens are like temporary keys; the shorter their lifetime, the lower the risk if they fall into the wrong hands.

Improves security posture: Limits the attack window for unauthorised access.

Compliance requirement: Meets security standards such as CIS, ISO 27001, and NIST that require the use of temporary credentials to minimise risk.

Encourages best practices: Forces applications and users to request new tokens regularly rather than relying on long-lived tokens.


Impact:

Providing a Shared Access Signature (SAS) URI to clients grants them access to a specific resource for a limited period. To minimise security risks, this duration should be kept as short as possible, ideally no longer than one hour.


Default Value:

By default, SAS tokens do not have a strict expiration; it is up to the user or application to define the expiry.

Pre-requisites:

  • Global Administrator or Security Administrator permissions

  •  Applications Must Support Short-Lived SAS Tokens


Test Plan:

  1. Sign in to the Azure Portal https://portal.azure.com.

  2. Search for Azure Storage Accounts and select the specific storage account.

  3. In the left-hand menu, under the settings sections, click on configuration

  4. check if the Allow upper limit for shared access signature (SAS) expiry interval is enabled or disabled


  1. If it is disabled, follow the Implementation steps.


Implementation Steps:

  1. Sign in to the Azure Portal https://portal.azure.com.

  2. Search for Azure Storage Accounts and select the specific storage account.

  3. In the left-hand menu, under the settings sections, click on configuration.


               

  1. Check for the Allow upper limit for shared access signature (SAS) expiry interval, enable it, and set the expiry interval will be in 1 hour.



Backout Plan:

  1. Sign in to the Azure portal https://portal.azure.com.

  2. Search for Azure Storage Account and select the particular storage account.

  3. In the left-hand menu, under the settings sections, click on configuration.

  4. Check for the Allow upper limit for shared access signature (SAS) expiry interval, and make it disabled.


Reference: