iCompaas Support

Profile Applicability:

• Level 1

Description:
 Storage Account Access Keys provide full access to Azure Storage resources. Periodic regeneration of these keys reduces the risk of unauthorized access resulting from key compromise or leakage by limiting the validity window of any exposed keys.

Rationale:
 Regular key regeneration is a critical security best practice that minimizes the attack surface associated with long-lived credentials. It enforces key hygiene, supports compliance requirements, and helps prevent unauthorized data access.

Impact:

Pros:

• Reduces risk of unauthorized access due to compromised keys.
  

• Encourages adherence to security policies and compliance.
  

Cons:

• Requires coordination to update applications and services using these keys.
  

• Potential for service disruption if key updates are not synchronized.
  

Default Value:
 Keys do not auto-rotate; regeneration must be performed manually or automated via scripts.

Pre-requisites:

• Access to regenerate storage account keys.
  

• Processes to update dependent services and applications promptly.
  

Remediation

Test Plan:

Using Azure Portal:

1. Sign in to https://portal.azure.com.
   

2. Navigate to Storage Accounts and select the target account.
   

3. Go to Access keys under Security + networking.
   

4. Review last key regeneration date if available.
   

5. Verify policies or schedules exist for periodic key rotation.
   

Using Azure CLI:

1. List current keys:
   

   az storage account keys list --account-name --resource-group

2. Confirm keys are actively in use and rotation schedule exists.
   

Implementation Plan

Using Azure Portal:

1. Regenerate keys as needed by selecting Regenerate key1 or Regenerate key2.
   

2. Update all services and applications with the new key promptly to avoid disruption.
   

3. Document key rotation dates and schedule.
   

Using Azure CLI:

1. Regenerate primary key:
   

   az storage account keys renew --account-name --resource-group --key primary

2. Regenerate secondary key:
   

   az storage account keys renew --account-name --resource-group --key secondary

3. Update dependent applications with the new key.
   

Backout Plan

Using Azure Portal:

1. Roll back to the previous key by reusing the old key if possible.
   

2. Coordinate with all stakeholders to ensure continuity.
   

Using Azure CLI:

1. If a rollback is required, regenerate the other key and switch applications accordingly.
   

2. Plan a coordinated key update.
   

References:

• Manage Storage Account Access Keys
  Best Practices for Storage Account Security