iCompaas Support

Profile Applicability:
 Level 1

Description:
 Shared access signatures (SAS) can be used to grant limited access to Azure Storage resources. When generating a SAS, it is possible to specify the allowed protocols for requests made with the SAS. It is recommended to allow requests over HTTPS only.

Rationale:
 If a SAS is passed over HTTP and intercepted, an attacker performing a man-in-the-middle attack can read the SAS token and misuse it as if they were the legitimate user. This can compromise sensitive data or allow unauthorized data corruption.

Impact:
 Pros:

• Enhances security by limiting SAS token usage to encrypted HTTPS requests.
  

• Reduces risk of token interception and unauthorized access.
  

Cons:

May require clients or applications that use SAS tokens to support HTTPS if they currently use HTTP.

Default Value:
 When generating a SAS token, the default allowed protocols setting is HTTPS only.

Pre-requisites:
 None beyond access to the Azure Portal or Azure CLI to manage storage account SAS tokens and access policies.

Remediation

Test Plan

Using Azure Portal:

If SAS tokens allowing HTTP were created with a Stored Access Policy (SAP):

1. Go to Storage accounts.
   

2. Select the desired Storage account.
   

3. Under Data storage, click Containers.
   

4. Click the three dots next to the container.
   

5. Click Access policy.
   

6. Click the three dots next to the access policy to be revoked.
   

7. Click Delete.
   

8. Click Save.
   

9. Repeat steps 4–8 as needed to revoke all SAS created with SAP.
   

If SAS tokens allowing HTTP were created without a SAP:

1. Go to Storage accounts.
   

2. Select the desired Storage account.
   

3. Under Security + networking, click Access keys.
   

4. Next to each key, click Rotate key.
   

5. Confirm by clicking Yes.
   

6. Repeat as needed to revoke all SAS tokens.
   

Note: Rotating access keys can disrupt any applications or Azure services relying on those keys.

Implementation Plan

Using Azure Portal:

1. When generating SAS tokens, always select Allowed protocols as HTTPS only.
   

2. Review existing SAS tokens and revoke any that allow HTTP using the remediation steps above.
   

Using Azure CLI:

1. Use the appropriate Azure CLI commands to generate SAS tokens with HTTPS-only restriction.
   

2. Rotate access keys via CLI to revoke HTTP-allowed SAS tokens if needed.
   

Backout Plan

Using Azure Portal:

1. If HTTPS only causes application issues, you can temporarily recreate SAS tokens allowing HTTP, understanding the security risk.
   

2. Restore access keys if rotated during remediation, recognizing this may impact dependent services.
   

Using Azure CLI:

1. Regenerate SAS tokens without the HTTPS-only flag if needed.
   

2. Restore or re-rotate access keys as required.
   

References:

1. https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview
   

2. https://learn.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage