Profile Applicability:
Level 1
Description:
Use stored access policies (SAP) when generating shared access signature (SAS) tokens in Azure to centrally manage permissions, expiration, and revocation settings for resource access. Stored access policies can be applied to blob containers, file shares, queues, and tables.
Rationale:
Stored access policies provide centralized control over SAS token access, allowing administrators to update permissions or revoke access. This approach strengthens security by reducing the risk of unauthorized access to storage resources.
Impact:
Pros:
Centralized control and revocation of SAS tokens.
Simplifies management of permissions and expiry times across multiple SAS tokens.
Enhances auditability and compliance.
Cons:
Requires administrative overhead to create and manage stored access policies.
May require changes in applications to support policy-based SAS token generation.
Default Value:
By default, stored access policies are not associated with SAS tokens. To use a stored access policy, it must be explicitly created and linked to the SAS at creation.
Pre-requisites:
Permissions to create and manage stored access policies on Azure Storage resources.
Understanding of SAS token and SAP usage lifecycle.
Remediation
Test Plan:
Using Azure portal:
In Storage Explorer, expand Storage Accounts.
Expand a storage account.
Expand Blob Containers, File Shares, Queues, or Tables, and right-click a blob container, file share, queue, or table.
Click Manage Stored Access Policies....
Under Access Policies, click Add.
Modify the ID, Start time, Expiry time, and permissions appropriately.
Click Save.
Repeat steps 1-7 as needed to create SAP.
When generating SAS, select a SAP from the Access policy drop-down.
Using Azure CLI:
List stored access policies for a container:
az storage container policy list --account-name <storage-account-name> --container-name <container-name> --output table
Verify that SAS tokens are generated referencing stored access policies.
Implementation Plan
Using Azure Portal:
Go to Storage accounts.
Click on a storage account.
Under Data storage, click Queues.
Click the name of a queue.
Under Settings, click Access policy.
Under Stored access policies, click + Add policy.
Enter an Identifier.
From the Permissions drop-down, select appropriate permissions for the policy
Set an appropriate Start time for the policy.
Set an appropriate Expiry time for the policy.
Click OK.
Click Save.
Repeat steps 1-12 as needed to create SAP.
Using Azure CLI:
Create a stored access policy on a container:
az storage container policy create --account-name <storage-account-name> --container-name <container-name> --name <policy-name> --permissions <permissions> --start <start-time> --expiry <expiry-time>
Generate a SAS token referencing the stored access policy:
az storage container generate-sas --account-name <storage-account-name> --container-name <container-name> --policy-name <policy-name> --output tsv
Revoke SAS tokens created without SAP by rotating storage account keys:
az storage account keys renew --account-name <storage-account-name> --key primary or az storage account keys renew --account-name <storage-account-name> --key secondary
Backout Plan
Using Azure Portal:
Regenerate SAS tokens without SAP linkage if needed.
Delete stored access policies if no longer required.
Restore rotated access keys if necessary.
Using Azure CLI:
Delete or modify stored access policies as needed:
az storage container policy delete --account-name <storage-account-name> --container-name <container-name> --name <policy-name>
Regenerate SAS tokens without stored access policy linkage if required.
References: