iCompaas Support

Profile Applicability:
 Level 1

Description:
Shared access signature (SAS) tokens provide restricted access to Azure Storage resources (such as blobs, files, queues, or tables) for a defined time period with specific permissions. This enables users to interact with resources without exposing account keys, offering precise control over permitted actions (e.g., read, write) and the duration of access. To minimize security risks, SAS tokens should be configured with the shortest possible lifespan, ideally not exceeding one hour.

Rationale:
 A short lifespan for SAS tokens minimizes the risk of unauthorized access. Since SAS tokens grant time-limited access to resources, longer durations increase the window for potential misuse if the token is compromised. Setting a shorter lifespan reduces the potential for security breaches.

Impact:
 SAS tokens can pose security risks if not managed carefully.

Default Value:
 By default, SAS token expiration is set to 8 hours.

Remediation

Test Plan

Using Azure Portal:

If SAS tokens without a short lifespan were created with a Stored Access Policy (SAP):

1. Go to Storage accounts.
   

2. Select the relevant Storage account.
   

3. Under Data storage, click Containers.
   

4. Click the three dots next to a listed item.
   

5. Click Access policy.
   

6. Click the three dots next to the access policy.
   

7. Click Delete.
   

8. Click Save.
   

9. Repeat as needed to revoke all SAS tokens created with SAP.
   

If SAS tokens without a short lifespan were created without a SAP:

1. Go to Storage accounts.
   

2. Select the relevant Storage account.
   

3. Under Security + networking, click Access keys.
   

4. Next to each key, click Rotate key.
   

5. Confirm by clicking Yes.
   

6. Repeat as needed to revoke SAS tokens.
   

Note: Rotating access keys may impact any applications or Azure services that depend on those keys.

Implementation Plan

Using Azure Portal:

1. When generating SAS tokens, specify an expiration time within one hour.
   

2. Review and revoke existing SAS tokens with longer lifespans using the remediation steps.
   

Using Azure CLI:

1. Generate SAS tokens with the --expiry parameter set to a time no longer than one hour ahead.
   

2. Rotate storage account keys as needed to revoke longer-lived SAS tokens.
   

Backout Plan

Using Azure Portal:

1. If necessary, SAS tokens can be regenerated with longer expiration times, understanding the associated risks.
   

2. Restore access keys if rotated during remediation.
   

Using Azure CLI:

1. Regenerate SAS tokens with longer expiration if required.
   

2. Restore or re-rotate keys accordingly.
   

References:

1. https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview
   

2. https://docs.microsoft.com/en-us/rest/api/storageservices/delegating-access-with-a-shared-access-signature