Ensure that your Microsoft Azure Storage shared access signatures don't have full access to your storage account resources (i.e. blob objects, files, tables and queues) via stored access policies. A shared access signature (SAS) is a URI that grants limited access rights to Azure Storage resources. An SAS token is useful when you have to provide secure, temporary access to your storage account resources, to clients that don't have otherwise permission to access these resources. A stored access policy provides an additional level of control over service-level shared access signatures, therefore this policy can be used to manage constraints for one or more shared access signatures. When you associate a service SAS with a stored access policy, the SAS inherits the policy constraints, such as the start time, the expiry time, and its permissions.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
A stored access policy provides an additional layer of control on top of the service-level shared access signature (SAS). To protect your Azure Storage account resources against unapproved access, configure the stored access policies associated with your service SAS tokens to follow the principle of least privilege by giving these policies the minimal set of permissions required to perform successfully their tasks.
Note: As an example, this conformity rule demonstrates how to check and reconfigure overly permissive stored access policies that grant full access to Microsoft Azure Storage blob containers.
Audit
To determine if your Azure Storage shared access signatures have full access to your resources via stored access policies, perform the following actions:
Remediation / Resolution
To revoke the shared access signature (SAS) full access to your Azure Storage container blobs using stored access policies, perform the following actions: