iCompaas Support

Profile Applicability:
 Level 1

Description:
 Use stored access policies (SAP) when generating shared access signature (SAS) tokens in Azure to centrally manage permissions, expiration, and revocation settings for resource access. Stored access policies can be applied to blob containers, file shares, queues, and tables.

Rationale:
 Stored access policies provide centralized control over SAS token access, allowing administrators to update permissions or revoke access. This approach strengthens security by reducing the risk of unauthorized access to storage resources.

Impact:
 Pros:

• Centralized management of permissions and expiration for SAS tokens.
  

• Enables easy revocation and modification of access rights.
  

• Improves overall security posture and operational manageability.
  

Cons:

• Administrative overhead to create and manage stored access policies.
  

• May require changes in applications to support policy-based SAS token generation.
  

Default Value:
 By default, stored access policies are not associated with SAS tokens. To use SAP, it must be explicitly created and linked at SAS token creation.

Pre-requisites:

• Permissions to create and manage stored access policies on Azure Storage resources.
  

• Understanding of SAS tokens and SAP lifecycle.
  

Remediation

Test Plan:
 Using Azure Portal:

• Navigate to Storage accounts and select the relevant account.
  

• Under Data storage, select Queues.
  

• Click the name of a queue and then Access policy under Settings.
  

• Verify that stored access policies exist and are linked to SAS tokens.
  

Implementation Plan:
 Using Azure Portal:

• Create stored access policies for queues defining appropriate permissions, start time, and expiry time.
  

• Generate SAS tokens linked to these stored access policies.
  

• Revoke SAS tokens created without SAP by rotating storage account keys.
  

Using Azure CLI:

• Create stored access policies:
  

   az storage queue policy create --account-name <storage-account-name> --queue-name <queue-name> --name <policy-name> --permissions <permissions> --expiry <expiry-time>

  
  

• Generate SAS tokens referencing stored access policies:
   

  az storage queue generate-sas --account-name <storage-account-name> --queue-name <queue-name> --policy-name <policy-name> --output tsv

  
  

• Revoke non-policy SAS tokens by rotating storage account keys:
  

   az storage account keys renew --account-name <storage-account-name> --key primary

  
  

Backout Plan

Using Azure Portal:

• Regenerate SAS tokens without SAP linkage if needed.
  

• Delete stored access policies if no longer required.
  

• Restore rotated access keys if necessary.
  

Using Azure CLI:

• Delete or modify stored access policies to revert.
  

• Regenerate SAS tokens without SAP linkage.
  

References:

1. https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview#best-practices-when-using-sas
   

2. https://learn.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy