Description:

Storage Account access keys are used by applications to authenticate and access data. Because these keys act like passwords, they should be rotated regularly to reduce the risk of unauthorized access if a key becomes exposed. Enabling the Key Rotation Reminder helps ensure that administrators are notified to rotate these keys on a regular schedule, reducing the chance of long-term credential misuse.


Rationale:

Enabling key rotation reminders helps ensure that access keys are rotated regularly, which strengthens security by reducing the risk of long-term key exposure. A consistent rotation schedule supports good security practices and helps meet regulatory requirements. For example, standards like PCI DSS recommend frequent rotation of cryptographic keys. Setting a 90-day reminder helps maintain this routine, but organizations should adjust the interval based on their own security policies and data sensitivity.


Impact:

Key rotation reminders are safe, but when you actually rotate the access keys, any app using the old key will stop working until it is updated. This may cause service interruptions if not coordinated properly.


Default Value:

By default, key rotation reminders are not enabled for Storage Accounts.


Pre-requisites:

  • You must have Owner, Contributor, or Storage Account Contributor permissions on the Storage Account.

  • The Storage Account must already exist.

  • You must have access to the Access keys settings in the Storage Account.


Test Plan:

  1. Sign in to the Azure portal at https://portal.azure.com

  2. In the portal, search for Storage Accounts and open the required storage account.

  3. Under the Security + Networking, select Access keys. Select the set rotation reminder. 

  4. Check whether “Enable key rotation reminder” is enabled.

        

  1. If it is not enabled, follow the implementation Steps.

Implementation Steps:

  1. Sign in to the Azure portal at https://portal.azure.com

  2. In the portal, search for Storage Accounts and open the required storage account.

                                           

  1. Under the Security + Networking, select Access keys. Select the set rotation reminder. 

           

  1. Enable key rotation reminder and toggle it on. Select the reminder interval (30, 60, or 90 days).

          

  1. Click Save to apply the changes.

Backout Plan:

  1. Sign in to the Azure portal at https://portal.azure.com 

  2. In the portal, search for Storage Accounts and open the required storage account.

  3. Under the  Security + Networking, select Access keys.

  4. Click Edit rotation reminder and uncheck “Enable key rotation reminder.”

References: