iCompaas Support

Profile Applicability:
 Level 1

Description:
 Shared Access Signatures (SAS) provide delegated access to Azure Storage resources with fine-grained permissions and expiration times. Setting a short expiration time for SAS tokens, such as within one hour, limits the window during which the token can be used, thereby reducing the risk of unauthorized access if the token is compromised.

Rationale:
 Long-lived SAS tokens increase the attack surface by allowing an attacker more time to use a stolen or leaked token. Enforcing a maximum lifetime of one hour minimizes potential exposure and aligns with the principle of least privilege by granting time-limited access.

Impact:

• Pros:
  

  • Reduces risk of token misuse due to shorter validity period.
    

  • Limits the impact of accidental or malicious token disclosure.
    

• Cons:
  

  • May require applications or users to frequently request new SAS tokens, increasing operational overhead.
    

  • Could impact workflows that depend on longer token lifetimes if not adjusted properly.
    

Default Value:
 By default, SAS tokens can be configured with various expiration times, often set longer than one hour unless specifically limited.

Pre-requisites:

• Permissions to manage SAS token policies or generate SAS tokens for storage accounts.
  

• Understanding of SAS token usage within the environment.
  

Remediation

Test Plan:

Using Azure Portal:

1. Navigate to https://portal.azure.com.
   

2. Open Storage accounts and select the relevant storage account.
   

3. Go to the resource type (e.g., Blob Containers, File Shares, Queues, or Tables).
   

4. Click the three dots next to an item and select Access policy to view stored access policies (SAPs).
   

5. Check the expiration time of SAS tokens or stored access policies.
   

6. Identify SAS tokens or policies with expiration times exceeding one hour.
   

Using Azure CLI:

1. List stored access policies for a container or other resource:

az storage container policy list --account-name <storage-account-name> --container-name <container-name> --output table

2. Review the expiry field to identify policies with expiration times longer than one hour.

Implementation Plan

Using Azure Portal:

1. Modify stored access policies to set expiry times to no more than one hour from creation or last update.
   

2. Save changes to update policies and revoke older longer-lived SAS tokens.
   

3. For ad-hoc SAS tokens, generate new tokens with expiry times set to one hour or less.
   

4. Communicate changes to users/applications to ensure token refresh is handled appropriately.
   

Using Azure CLI:

1. Update or create stored access policies with expiry times set to one hour from current time:

az storage container policy create --account-name <storage-account-name> --container-name <container-name> --name <policy-name> --permissions <permissions> --expiry <expiry-time-in-UTC>

2.  Example for expiry time one hour from now:

expiry=$(date -u -d "1 hour" '+%Y-%m-%dT%H:%MZ')

az storage container policy create --account-name <storage-account-name> --container-name <container-name> --name <policy-name> --permissions rw --expiry $expiry

3. Generate SAS tokens with an expiry time within one hour.

Backout Plan

Using Azure Portal:

1. Revert stored access policies to previous expiry times if needed.
   

2. Regenerate SAS tokens with prior expiration times if rollback is necessary.
   

Using Azure CLI:

1. Delete or update stored access policies to restore previous expiration settings.
   

2. Regenerate SAS tokens accordingly.
   

References:

• Azure Storage SAS Overview
  

• SAS Token Best Practices