iCompaas Support

Profile Applicability:
 Level 1

Description:
 Use stored access policies (SAP) when generating shared access signature (SAS) tokens in Azure to centrally manage permissions, expiration, and revocation settings for resource access. Stored access policies can be applied to blob containers, file shares, queues, and tables.

Rationale:
 Stored access policies provide centralized control over SAS token access, allowing administrators to update permissions or revoke access. This approach strengthens security by reducing the risk of unauthorized access to storage resources.

Impact:
 Pros:

• Centralized management of permissions and expiration for SAS tokens.
  

• Enables easy revocation and modification of access rights.
  

• Improves overall security posture and operational manageability.
  

Cons:

• Requires administrative overhead to create and manage policies.
  

• Applications may need updates to support policy-based SAS token generation.
  

Default Value:
 By default, stored access policies are not associated with SAS tokens. To use SAP, it must be explicitly created and linked during SAS token generation.

Pre-requisites:

• Permissions to create and manage stored access policies on Azure Storage resources.
  

• Understanding of SAS tokens and SAP lifecycle.
  

Remediation

Test Plan:
 Using Azure Portal:

• Navigate to Storage accounts and select the relevant account.
  

• Under Data storage, select Containers, File Shares, Queues, or Tables.
  

• Select an item, then view Access policy to check for existing SAPs.
  

• Verify SAS tokens reference stored access policies via the si parameter.
  

Implementation Plan:
 Using Azure Portal:

• Create stored access policies with appropriate permissions, start, and expiry times.
  

• Generate SAS tokens linked to these stored access policies.
  

• Revoke SAS tokens created without SAP by rotating storage account keys.
  

Using Azure CLI:

• Create stored access policies:

  az storage container policy create --account-name <storage-account-name> --container-name <container-name> --name <policy-name> --permissions <permissions> --expiry <expiry-time>

  
  

• Generate SAS tokens referencing stored access policies:

  az storage container generate-sas --account-name <storage-account-name> --container-name <container-name> --policy-name <policy-name> --output tsv

  
  

• Revoke non-policy SAS tokens by rotating keys:
  

   az storage account keys renew --account-name <storage-account-name> --key primary 

Backout Plan

Using Azure Portal:

• Regenerate SAS tokens without linking to SAP if needed.
  

• Delete stored access policies if no longer required.
  

• Restore rotated keys if necessary.
  

Using Azure CLI:

• Delete or modify stored access policies to revert.
  

• Regenerate SAS tokens without SAP linkage.
  

References:

1. https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview#best-practices-when-using-sas
   

2. https://learn.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy