iCompaas Support

Profile Applicability:

•  Level 1

Description:
 The setting 'Allow Storage Account Key Access' controls whether applications and users can access Azure Storage resources using the storage account access keys. Disabling this setting enforces the use of more secure authentication methods such as Azure Active Directory (Azure AD), reducing reliance on long-lived keys.

Rationale:
 Disabling storage account key access limits the risk associated with key compromise, which can lead to unauthorized access. Encouraging Azure AD authentication enhances security by leveraging role-based access control (RBAC) and enables better auditability and key management.

Impact:

Pros:

• Reduces risk of unauthorized access via compromised keys.
  

• Supports modern authentication best practices with Azure AD.
  

• Improves security posture and audit capabilities.
  

Cons:

• Legacy applications dependent on access keys may fail unless updated.
  

• Requires planning and testing for migration to Azure AD authentication.
  

Default Value:
 By default, storage account key access is enabled to maintain backward compatibility.

Pre-requisites:

• Azure subscription with permissions to modify storage account settings.
  

• Azure AD configured for authentication to storage resources.
  

Remediation

Test Plan:

Using Azure Portal:

1. Log in to https://portal.azure.com.
   

2. Navigate to Storage Accounts and select the target account.
   

3. Under Settings, go to Configuration.
   

4. Verify that Allow storage account key access is set to Disabled.
   

Using Azure CLI:

1. Check the current status:
   

   az storage account show --name --resource-group --query allowSharedKeyAccess

2. Confirm the output is false indicating key access is disabled.
   

Implementation Plan

Using Azure Portal:

1. In the Configuration settings of the storage account, toggle Allow storage account key access to Disabled.
   

2. Save changes and validate access using Azure AD authentication.
   

Using Azure CLI:

1. Disable storage account key access:
   

   az storage account update --name --resource-group --set allowSharedKeyAccess=false

2. Confirm the update by rechecking the property.
   

Backout Plan

Using Azure Portal:

1. Re-enable storage account key access if required by toggling the setting back to Enabled.
   

2. Communicate changes to affected users.
   

Using Azure CLI:

Enable storage account key access:

az storage account update --name --resource-group --set allowSharedKeyAccess=true

References:

• Manage Storage Account Settings
  Azure Storage Security Best Practices