Profile Applicability:
 Level 1

Description:
Shared access signatures (SAS) provide limited access to Azure Storage resources. When generating a SAS token, it is possible to specify the allowed protocols for requests made with the SAS. It is recommended to restrict access to HTTPS only to ensure secure transmission.

Rationale:
Allowing SAS tokens over HTTP exposes them to interception by man-in-the-middle attacks, where an attacker can capture the token and misuse it to access or modify sensitive data. Enforcing HTTPS only mitigates this risk by encrypting the communication channel.

Impact:
 Pros:

  • Enhances security by ensuring encrypted transmission of SAS tokens.

  • Reduces risk of token interception and misuse.

Cons:

  • May require updates to existing clients or services to support HTTPS if they currently use HTTP.

Default Value:
 By default, when generating a SAS, the allowed protocols setting is set to HTTPS only.

Pre-requisites:
 None specifically required beyond the ability to configure SAS token generation.

Remediation

Test Plan:

Using Azure Portal:

  1. Open the Azure Portal at https://portal.azure.com.

  2. Navigate to the Azure Storage account.

  3. Review SAS token generation settings to verify that "Allowed protocols" is set to HTTPS only.

Using Azure CLI:

  1. Use the following command to generate or inspect SAS tokens ensuring the flag is set when applicable.

    --https-only

Implementation Plan

Using Azure Portal:

  1. While generating a SAS token, ensure the "Allowed protocols" option is set to HTTPS only.

  2. Save and distribute the SAS token with this restriction.

Using Azure CLI:

  1. Use commands with the  parameter to generate SAS tokens restricted to HTTPS.

    --https-only


Backout Plan

Using Azure Portal:

  1. If HTTPS only causes issues, you may modify the SAS token settings to allow HTTP temporarily, but this is not recommended.

Using Azure CLI:

  1. Regenerate SAS tokens without the flag if necessary, understanding the security risks.

    --https-only

References:

  1. https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview

  2. https://learn.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage