Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check for Overly Permissive Stored Access Policies

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: StorageAccounts-015

Ensure that your Microsoft Azure Storage shared access signatures don't have full access to your storage account resources (i.e. blob objects, files, tables and queues) via stored access policies. A shared access signature (SAS) is a URI that grants limited access rights to Azure Storage resources. An SAS token is useful when you have to provide secure, temporary access to your storage account resources, to clients that don't have otherwise permission to access these resources. A stored access policy provides an additional level of control over service-level shared access signatures, therefore this policy can be used to manage constraints for one or more shared access signatures. When you associate a service SAS with a stored access policy, the SAS inherits the policy constraints, such as the start time, the expiry time, and its permissions.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

A stored access policy provides an additional layer of control on top of the service-level shared access signature (SAS). To protect your Azure Storage account resources against unapproved access, configure the stored access policies associated with your service SAS tokens to follow the principle of least privilege by giving these policies the minimal set of permissions required to perform successfully their tasks.

Note: As an example, this conformity rule demonstrates how to check and reconfigure overly permissive stored access policies that grant full access to Microsoft Azure Storage blob containers.


Audit

To determine if your Azure Storage shared access signatures have full access to your resources via stored access policies, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to Azure Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts.

03 On the Storage accounts page, select the subscription that you want to examine from the Subscription filter box.

04 Click on the name of the Azure Storage account that you want to examine.

05 In the navigation panel, under Blob service, click Containers to access the blob containers available in the selected storage account.

06 Click on the name of the Azure blob container that you want to examine.

07 In the navigation panel, under Settings, click Access policy to open the associated access policy.

08 On the Access policy page, choose the access policy that you want to examine, available in the Stored access policies list. Check the policy validity period (i.e. start time and expiry time) and the associated permissions. If the policy is not expired and the permissions defined for it are racwdl (Read, Add, Create, Write, Delete, List), the shared access signature (SAS) associated with the verified stored access policy has full access to the selected blob storage container data.

09 Repeat step no. 8 for each stored access policy defined for the specified blob container.

10 Repeat steps no. 6 – 9 for each blob container available in the selected Azure Storage account.

11 Repeat steps no. 4 – 10 for each storage account available in the selected Azure subscription.

12 Repeat steps no. 3 – 11 for each subscription created within your Microsoft Azure cloud account.

Using Azure CLI

01 Run storage account list command (Windows/macOS/Linux) using custom query filters to describe the identifier for each storage account available in the current Azure subscription:

az storage account list
    --query '[*].name'

02 The command output should return the requested storage account names:

[
  "abcdabcdabcd123412341234",
  "abcd1234abcd1234abcd1234"
]

03 Run storage container list command (Windows/macOS/Linux) using the name of the storage account that you want to examine as identifier parameter and custom query filters to list the containers available in the selected storage account:

az storage container list
		--account-name abcdabcdabcd123412341234
		--query '[*].name'

04 The command output should return the name of the blob containers within the specified storage account:

[
  "ccproducts-abcdabcd-abcd-abcd-abcd-abcdabcdabcd",
  "ccinternal-1234abcd-1234-abcd-1234-abcd1234abcd"
]

05 Run storage container policy list command (Windows/macOS/Linux) using the name of the storage account and container name that you want to examine as identifier parameter to describe the stored access policies for the selected container:

az storage container policy list
		--account-name abcdabcdabcd123412341234
    --container-name ccproducts-abcdabcd-abcd-abcd-abcd-abcdabcdabcd

06 The command output should return a list of stored access policies for the specified blob container:

{
  "tooPermissivePolicy": {
    "expiry": "2021-09-02T00:00:00+00:00",
    "permission": "racwdl",
    "start": "2020-09-01T00:00:00+00:00"
  }
}

If the storage container policy list command output returns not empty object(i.e {}), as shown in the example above, the Stored Access Policies is enabled and not expired, but the verified stored access policy has full access to the selected blob storage container data. Therefore, it is not following the principle of least privilege.

07 Repeat step no. 5 and 6 for each container provisioned in the selected storage account.

08 Repeat steps no. 3 – 7 for each storage account available within the selected subscription.

09 Repeat steps no. 1 – 8 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To revoke the shared access signature (SAS) full access to your Azure Storage container blobs using stored access policies, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to Azure Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts.

03 On the Storage accounts page, select the subscription that you want to connect to from the Subscription filter box.

04 Click on the name of the Azure Storage account that you want to access.

05 In the navigation panel, under Blob service, click Containers to access the blob containers available in the selected storage account.

06 Click on the name of the Azure blob container that you want to reconfigure.

07 In the navigation panel, under Settings, click Access policy to open the associated access policy.

08 On the Access policy page, under Stored access policies, right-click on the stored access policy that you want to reconfigure, then click Edit to open the panel with the policy configuration settings.

09 On the Edit policy configuration panel, from the Permissions dropdown list, select only the minimum permission(s) required for the SAS access to the selected blob container, following the principle of least privilege. The allowed operations for each permission that can be set to a blob container are:

  • Read (r) – read the content, properties, metadata or block list of any blob object in the selected container. Use any blob object within the storage container as the source of a copy operation.
  • Add (a) – add a block to any append blob within the selected container.
  • Create (c) – write a new blob to the selected container, snapshot any blob in the container, or copy a blob to a new blob in the specified container.
  • Write (w) – for any blob in the selected container, create or write content, properties, metadata, or block list. Resize, snapshot or lease the blob object. Use the blob object as the destination of a copy operation.
  • Delete (d) – delete any blob in the selected container. You cannot grant permissions to delete a container with a service SAS. Use an account SAS instead.
  • List (l) – list blobs in the selected storage container.

If you just want to remove the selected stored access policy, right-click on the policy and choose Delete instead of Edit. Reconfiguring or deleting the stored access policy immediately affects all of the shared access signatures associated with it.

10 Repeat step no. 8 and 9 for each stored access policy defined for the specified blob container.

11 Repeat steps no. 6 – 10 for each blob container available in the selected Azure Storage account.

12 Repeat steps no. 4 – 11 for each storage account provisioned in the selected Azure subscription.

13 Repeat steps no. 3 – 12 for each subscription created within your Microsoft Azure cloud account.

Using Azure CLI

01 Run storage container policy update command (Windows/macOS/Linux) using the name of storage account, blob container and policy name that you want to reconfigure as identifier parameter (see Audit section step 01, step 03 and step 05 to identify the right resource) to update the overly permissive stored Access Policy, following the principle of least privilege:

az storage container policy update
		--account-name abcdabcdabcd123412341234
    --container-name ccproducts-abcdabcd-abcd-abcd-abcd-abcdabcdabcd
    --name tooPermissivePolicy
		--start "<start_time>""
    --expiry "<expiry_time>"
    --permissions "<permissions_options>

Notes:
  • start : Start UTC datetime (Y-m-d'T'H:M:S'Z'). Defaults to time of request.
  • expiry : Expiration UTC datetime in (Y-m-d'T'H:M:S'Z').
  • permissions : Read (r), Add (a), Create (c), Write (w), Delete (d), List (l). Can be combined.

02 Repeat step no. 1 for each stored access policy defined for the specified blob container available in the selected storage account.

03 Repeat step no. 1 for each stored access policy defined for the specified blob container available in the selected storage account.

04 Repeat step no. 1 for each stored access policy defined for the specified blob container available in the selected storage account.

References

Publication date Dec 17, 2019