iCompaas Support

Profile Applicability:
 Level 1

Description:
 Shared access signature (SAS) tokens provide restricted, time-limited access to Azure Queue Storage resources. Configuring SAS tokens with a short expiration—ideally within one hour—minimizes the risk of unauthorized access by limiting the window during which a compromised token can be used.

Rationale:
 Short-lived SAS tokens reduce the opportunity for misuse if tokens are intercepted or compromised. Limiting the token lifespan to one hour enhances security by narrowing the access duration.

Impact:
 Pros:

• Limits exposure time of SAS tokens, reducing risk from compromised tokens.
  

• Enhances security posture by enforcing strict access time boundaries.
  

Cons

• May require frequent regeneration of SAS tokens, impacting operational overhead if not automated.
  

• Application changes may be needed to handle short-lived tokens properly.

Default Value:
 By default, SAS tokens created for Queue Storage expire after 24 hours (Storage Explorer) or 8 hours (Azure Portal).

Pre-requisites:

• Permissions to manage SAS tokens and stored access policies for Queue Storage.
  

• Understanding of SAS token generation and lifecycle.
  

Remediation

Test Plan:
 Using Azure Portal:

• Navigate to Storage accounts.
  

• Select the relevant storage account.
  

• Under Data storage, click Queues.
  

• Select a queue, then under Settings, click Access policy.
  

• Verify stored access policies exist with expiry within one hour.
  

Implementation Plan

Using Azure Portal:

• Create or update stored access policies for queues with expiration set within one hour.
  

• Generate SAS tokens linked to these stored access policies.
  

• Rotate storage account keys to revoke SAS tokens without SAP linkage.

Using Azure CLI:

1. Create stored access policy:

az storage queue policy create --account-name <storage-account-name> --queue-name <queue-name> --name <policy-name> --permissions <permissions> --expiry <expiry-time>

2. Generate SAS token linked to policy:

az storage queue generate-sas --account-name <storage-account-name> --queue-name <queue-name> --policy-name <policy-name> --output tsv

3. Revoke SAS tokens without SAP by rotating keys:

az storage account keys renew --account-name <storage-account-name> --key primary 

Backout Plan

Using Azure Portal or CLI:

• Regenerate SAS tokens with longer expiration if needed.
  

• Delete or modify stored access policies as required.
  

• Restore rotated keys if necessary.
  

References:

• https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview
  

• https://learn.microsoft.com/en-us/azure/storage/queues/storage-dotnet-how-to-use-queues#grant-limited-access-to-queue-resources