iCompaas Support

Profile Applicability:

• Level 1

Description:
 Shared access signature (SAS) tokens provide restricted access to Azure Storage resources (such as blobs, files, queues, or tables) for a defined time period with specific permissions. This enables users to interact with resources without exposing account keys, offering precise control over the permitted actions (e.g., read, write) and the duration of access. To minimize security risks, SAS tokens should be configured with the shortest possible lifespan, ideally lasting no longer than an hour.

Rationale:
 A short lifespan for SAS tokens is recommended to minimize the risk of unauthorized access. SAS tokens grant time-limited access to resources, and a longer duration increases the opportunity for misuse if the token is compromised. By setting a shorter lifespan, the potential for security breaches is reduced.

Impact:
 SAS tokens can pose security risks if they are not managed carefully.

Default Value:
 By default, the expiration for shared access signatures is set to 8 hours.

Remediation

Using Azure Portal:

If SAS tokens without a short lifespan were created with a Stored Access Policy (SAP):

1. Go to Storage accounts.
   

2. Select the relevant Storage account.
   

3. Under Data storage, click Containers, File shares, Queues, or Tables.
   

4. Click the three dots next to a listed item.
   

5. Click Access policy.
   

6. Click the three dots next to the relevant access policy.
   

7. Click Delete.
   

8. Click Save.
   

9. Repeat as needed to revoke SAS tokens created with SAP.
   

If SAS tokens without a short lifespan were created without a SAP:

1. Go to Storage accounts.
   

2. Select the relevant Storage account.
   

3. Under Security + networking, click Access keys.
   

4. Next to each key, click Rotate key.
   

5. Confirm by clicking Yes.
   

6. Repeat as needed to revoke SAS tokens.
   

Note: Rotating access keys can affect applications or Azure services dependent on the storage account keys.

Implementation Plan

Using Azure Portal:

1. When generating SAS tokens, specify an expiration time within one hour.
   

2. Review and revoke existing SAS tokens with longer expiration times using the remediation steps.
   

Using Azure CLI:

1. Generate SAS tokens with the expiration time parameter set to one hour or less.
   

2. Rotate storage account keys as necessary to revoke longer-lived SAS tokens.
   

Backout Plan

Using Azure Portal:

1. If needed, SAS tokens can be regenerated with longer expiration times, understanding the associated security risks.
   

2. Restore access keys if rotated during remediation.
   

Using Azure CLI:

1. Regenerate SAS tokens with longer expiration times if needed.
   
2. Restore or re-rotate keys as necessary.

References:

• https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview
• https://docs.microsoft.com/en-us/rest/api/storageservices/delegating-access-with-a-shared-access-signature