iCompaas Support

Profile Applicability:
 Level 1

Description:
 Shared access signatures (SAS) can be used to grant limited access to Azure Storage resources. When generating a SAS, it is possible to specify the allowed protocols for requests made with the SAS. It is recommended to allow requests over HTTPS only.

Rationale:
 If a SAS token is passed over HTTP and intercepted via a man-in-the-middle attack, an attacker can read and misuse the SAS token just as the intended user could. This can potentially compromise sensitive data or allow malicious data corruption.

Impact:
 SAS tokens can pose security risks if not managed carefully.

Remediation

Using Azure Portal:

If SAS tokens allowing HTTP were created with a Stored Access Policy (SAP):

1. Go to Storage accounts.
   

2. Select the desired Storage account.
   

3. Under Data storage, click Containers, File shares, Queues, or Tables.
   

4. Click the three dots next to a listed item.
   

5. Click Access policy.
   

6. Click the three dots next to the relevant access policy.
   

7. Click Delete.
   

8. Click Save.
   

9. Repeat steps as needed to revoke all SAS tokens created with SAP.
   

If SAS tokens allowing HTTP were created without a SAP:

1. Go to Storage accounts.
   

2. Select the desired Storage account.
   

3. Under Security + networking, click Access keys.
   

4. Next to each key, click Rotate key.
   

5. Confirm by clicking Yes.
   

6. Repeat as needed to revoke SAS tokens.
   

Note: Rotating access keys can affect applications or Azure services dependent on the storage account keys.

Implementation Plan

Using Azure Portal:

1. When generating SAS tokens, ensure Allowed protocols is set to HTTPS only.
   

2. Review existing SAS tokens and revoke any that allow HTTP using the remediation steps.
   

Using Azure CLI:

1. Generate SAS tokens specifying the HTTPS-only protocol.
   

2. Rotate access keys if necessary to revoke HTTP-allowed SAS tokens.
   

Backout Plan

Using Azure Portal:

1. If HTTPS-only causes issues, SAS tokens allowing HTTP can be temporarily recreated with understanding of security risks.
   

2. Restore access keys if rotated during remediation.
   

Using Azure CLI:

1. Regenerate SAS tokens without HTTPS-only restriction if needed.
   

2. Restore or re-rotate access keys as required.
   

References:

1. https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview
   

2. https://learn.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage