Profile Applicability:
 Level 1

Description:
 Stored Access Policies (SAP) are named policies that define constraints such as permissions and expiration times for Shared Access Signature (SAS) tokens. Using SAPs when generating SAS tokens allows centralized management of token constraints, enabling easier revocation, modification, and auditing of access rights.

Rationale:
 Without SAPs, SAS tokens are individually created with embedded permissions and expiry, making it difficult to revoke or modify tokens once issued. SAPs provide a mechanism to control multiple SAS tokens issued under the same policy, allowing administrators to revoke or update permissions centrally without needing to regenerate every token. This improves security and operational manageability.

Impact:

  • Pros:

    • Centralized control and revocation of SAS tokens.

    • Simplifies management of permissions and expiry times across multiple SAS tokens.

    • Enhances auditability and compliance.

  • Cons:

    • Requires additional setup and governance of stored access policies.

    • May require changes in applications to support policy-based SAS token generation.

Default Value:
 By default, SAS tokens may be generated with or without stored access policies, depending on how the token is created.

Pre-requisites:

  • Permissions to create and manage stored access policies on Azure Storage resources.

  • Understanding of SAS token and SAP usage and lifecycle.

Remediation

Test Plan:

Using Azure Portal:

  1. Navigate to https://portal.azure.com.

  2. Open Storage accounts and select the relevant storage account.

  3. Go to the resource type (Blob Containers, File Shares, Queues, or Tables).

  4. Click the three dots next to an item and select Access policy to view existing SAPs.

  5. Verify that SAS tokens issued reference stored access policies rather than being ad-hoc tokens without SAPs.

Using Azure CLI:

1. List stored access policies for a resource, for example a container:

az storage container policy list --account-name <storage-account-name> --container-name <container-name> --output table

2. Review SAPs and confirm tokens are generated referencing these policies.

Implementation Plan

Using Azure Portal:

  1. Create or update stored access policies for your storage containers or other resources defining appropriate permissions and expiry.

  2. Regenerate SAS tokens that reference the stored access policies instead of ad-hoc token parameters.

  3. Revoke previously issued SAS tokens that do not use SAPs to enforce centralized control.

Using Azure CLI:

1. Create stored access policies with desired permissions and expiry:

az storage container policy create --account-name <storage-account-name> --container-name <container-name> --name <policy-name> --permissions <permissions> --expiry <expiry-time>

2. Generate SAS tokens referencing the stored access policy:

az storage container generate-sas --account-name <storage-account-name> --container-name <container-name> --policy-name <policy-name> --output tsv

3. Revoke non-policy SAS tokens by rotating storage account keys or deleting ad-hoc tokens if applicable.

Backout Plan

Using Azure Portal:

  1. Revert to previous SAS token generation methods if needed by regenerating ad-hoc SAS tokens.

  2. Restore deleted stored access policies if necessary.

Using Azure CLI:

  1. Delete or modify stored access policies to revert to previous SAS token management.

  2. Regenerate ad-hoc SAS tokens without SAPs as before.

References: