Profile Applicability:
Level 1
Description:
Shared access signature (SAS) tokens provide restricted access to Azure Storage resources (such as blobs, files, queues, or tables) for a defined time period with specific permissions. This enables users to interact with the resources without exposing account keys, offering precise control over permitted actions (e.g., read, write) and the duration of access. To minimize security risks, SAS tokens should be configured with the shortest possible lifespan, ideally lasting no longer than an hour.
Rationale:
A short lifespan for SAS tokens is recommended to minimize the risk of unauthorized access. SAS tokens grant time-limited access to resources, and a longer duration increases the opportunity for misuse if the token is compromised. By setting a shorter lifespan, the potential for security breaches is reduced.
Impact:
SAS tokens can pose security risks if they are not managed carefully.
Default Value:
By default, SAS tokens created from Storage Explorer expire after 24 hours.
Remediation
Using Azure Portal:
If SAS tokens without a short lifespan were created without a SAP:
Go to Storage accounts.
Select the relevant Storage account.
Under Security + networking, click Access keys.
Next to each key, click Rotate key.
Confirm by clicking Yes.
Repeat as needed to revoke SAS tokens.
Note: Rotating access keys can impact applications or Azure services dependent on those keys.
Implementation Plan
Using Azure Portal:
Generate SAS tokens with expiration times within one hour.
Rotate access keys to revoke longer-lived SAS tokens if necessary.
Using Azure CLI:
Generate SAS tokens with the expiration time parameter set to one hour or less.
Rotate storage account keys if necessary.
Backout Plan
Using Storage Explorer and Azure Portal:
Regenerate SAS tokens with longer expiration times if required, understanding associated risks.
Restore access keys if rotated during remediation.
References: