Description:
The 'Allow Storage Account Key Access' setting determines whether users can access the storage account using the storage account keys. Disabling this setting ensures that users cannot access the storage account via the keys, which can enhance security by enforcing the use of more secure authentication methods such as Azure Active Directory (AAD) authentication or managed identities.
Rationale:
Disabling 'Allow Storage Account Key Access' forces the use of more secure methods, such as Azure Active Directory (AAD) authentication and managed identities, for accessing the storage account. Storage account keys are often considered a weak security mechanism since they provide full access to the storage account and can be easily compromised if not managed securely. Enforcing AAD-based authentication helps mitigate the risks of key leakage and strengthens access control.
Impact:
Disabling this setting may break applications or services that rely on storage account keys for authentication. Therefore, it is important to ensure that all services accessing the storage account are configured to use Azure AD authentication or managed identities. This setting helps meet compliance and security standards such as SOC 2, HIPAA, and GDPR.
Default Value:
By default, 'Allow Storage Account Key Access' is enabled. This must be explicitly disabled to ensure the use of more secure authentication methods.
Pre-requisites:
Azure account: Ensure you have the appropriate permissions to modify the storage account settings.
Azure Storage Account: Ensure the storage account exists.
Permissions: You need appropriate permissions, such as Owner or Contributor role, to modify the storage account settings.
Azure AD Authentication: Ensure that Azure AD authentication or managed identities are configured for accessing the storage account.
Remediation:
Audit:
To check if 'Allow Storage Account Key Access' is disabled for your Azure Storage Accounts:
Sign in to the Azure portal using an account with appropriate permissions.
Navigate to the Azure Storage Account.
Check the 'Allow Storage Account Key Access' setting:
In the left-hand menu, under Settings, click on Configuration.
Verify that 'Allow storage account key access' is set to Disabled.
Implementation:
To automatically enforce 'Allow Storage Account Key Access' as Disabled across all Azure Storage Accounts, you can use Azure Policy.
Create a custom Azure Policy to ensure storage account key access is disabled:
Go to the Azure portal.
Navigate to Policy and click on Definitions.
Create a new Custom Policy with the following content:
{
"properties": {
"displayName": "Ensure 'Allow Storage Account Key Access' is Disabled for Storage Accounts",
"policyType": "Custom",
"mode": "All",
"description": "This policy ensures that 'Allow Storage Account Key Access' is disabled for all Azure storage accounts.",
"parameters": {},
"metadata": {
"version": "1.0.0",
"category": "Storage"
},
"policyRule": {
"if": {
"field": "Microsoft.Storage/storageAccounts/enableKeyAccess",
"equals": "true"
},
"then": {
"effect": "deny"
}
}
}
}Assign the policy:
After creating the custom policy, assign it to the relevant subscriptions or resource groups to ensure 'Allow Storage Account Key Access' is disabled across all storage accounts.
Backout Plan:
To enable 'Allow Storage Account Key Access' again:
Sign in to the Azure portal with appropriate permissions.
Navigate to the Azure Storage Account.
Go to Configuration settings:
In the left-hand menu, under Settings, click on Configuration.
Enable the 'Allow Storage Account Key Access' setting:
Set 'Allow Storage Account Key Access' to Enabled and save the changes.
If the setting was enforced via Azure Policy, modify or remove the policy to allow storage account key access.