iCompaas Support

Profile Applicability:
 Level 1

Description:
 Shared access signatures (SAS) provide limited access to Azure Storage resources. When generating a SAS, it is possible to specify the allowed protocols for requests made with the SAS. It is recommended to allow requests over HTTPS only.

Rationale:
 If a SAS token is passed over HTTP and intercepted via a man-in-the-middle attack, an attacker can use the SAS token as if they were the legitimate user. This can lead to unauthorized access, compromising sensitive data or allowing data corruption.

Impact:
 SAS tokens can pose security risks if not managed carefully.

Default Value:
 When generating a SAS token, the default allowed protocols setting is HTTPS only.

Remediation

Test Plan

Using Azure Portal:

If SAS tokens allowing HTTP were created with a Stored Access Policy (SAP):

1. Go to Storage accounts.
   

2. Select the desired Storage account.
   

3. Under Data storage, click Queues.
   

4. Click the three dots next to a queue.
   

5. Click Access policy.
   

6. Click the three dots next to the relevant access policy.
   

7. Click Delete.
   

8. Click Save.
   

9. Repeat as needed to revoke all SAS tokens created with SAP.
   

If SAS tokens allowing HTTP were created without a SAP:

1. Go to Storage accounts.
   

2. Select the desired Storage account.
   

3. Under Security + networking, click Access keys.
   

4. Next to each key, click Rotate key.
   

5. Confirm by clicking Yes.
   

6. Repeat as needed to revoke SAS tokens.
   

Note: Rotating access keys may affect any applications or services dependent on those keys.

Implementation Plan

Using Azure Portal:

1. When generating SAS tokens, ensure Allowed protocols is set to HTTPS only.
   

2. Review and revoke any existing SAS tokens that allow HTTP using the remediation steps.
   

Using Azure CLI:

1. Use the Azure CLI commands to generate SAS tokens with the HTTPS-only restriction.
   

2. Rotate access keys via CLI to revoke SAS tokens that allow HTTP if necessary.
   

Backout Plan

Using Azure Portal:

1. If HTTPS-only restrictions cause issues, temporarily recreate SAS tokens allowing HTTP, acknowledging the security risk.
   

2. Restore access keys if rotated during remediation.
   

Using Azure CLI:

1. Regenerate SAS tokens without HTTPS-only restriction if needed.
   

2. Restore or re-rotate access keys as required.
   

References:

1. https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview
   

2. https://learn.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage