Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Regenerate Storage Account Access Keys Periodically

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: StorageAccounts-002

Ensure that Azure Storage account access keys are regenerated every 90 days in order to decrease the likelihood of accidental exposures and protect your storage account resources against unauthorized access.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

When a Microsoft Azure Storage account is created, Azure generates two 512-bit storage access keys to be used for authentication when storage resources such as blobs, files, tables and queues are accessed by applications. Rotating these credentials periodically will significantly reduce the chances that a compromised set of access keys can be used without your knowledge to access resources available in your storage account.

Note: Regenerating storage account access keys can affect services or applications that are dependent on these keys. All clients that use these access keys to access your storage account resources must be updated to use the new keys.


Audit

To determine if your storage account access keys are periodically regenerated (by default, every 90 days), perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts.

03 Click on the name (link) of the Azure Storage account that you want to examine.

04 In the navigation panel, choose Activity log to view the activity log events generated for the selected storage account.

05 On the Activity log page, click on the Timespan dropdown menu, select Custom and use the Start time and End time controls to select a range of the last 90 days, then click Apply to submit the request. Once the request is sent, the Azure Activity log should list all the events triggered in the last 90 days.

06 Enter RegenerateKey in the Search text box available under the blade top menu and press Enter. If this filtering process does not return any results, there were no access credentials rotated in the past 90 days for the selected storage account, therefore the access keys are not periodically regenerated.

07 Repeat steps no. 3 – 6 for each storage account available within the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI and PowerShell

01 Run storage account list command (Windows/macOS/Linux) using custom query filters to describe the identifier (name) of the storage account available in the current Azure subscription and the associated resource group. Every storage account must belong to an Azure resource group. A resource group is a logical container for grouping your Azure services:

az storage account list
	--query '[*].{name:name,resourceGroup:resourceGroup}'

02 The command output should return the requested storage account information:

[
  {
    "name": "abcd1234abcd1234abcd1234",
    "resourceGroup": "cloud-shell-storage-westeurope"
  }
]

03 Run monitor activity-log list command (Windows/macOS/Linux) using the name of the resource group associated with the storage account that you want to examine as identifier parameter and custom query filters to list the Activity log events succeeded within the past 90 days:

az monitor activity-log list
	--resource-group cloud-shell-storage-westeurope
	--status Succeeded
	--offset 90d
	--query '[*].{authorization:authorization.action,eventTimestamp:eventTimestamp}'

04 The command output should return the requested information (in this case, the event type and its timestamp):

[
  {
    "authorization": "Microsoft.Storage/storageAccounts/listKeys/action",
    "eventTimestamp": "2019-06-04T17:25:59.595898+00:00"
  },
  {
    "authorization": "Microsoft.Storage/storageAccounts/regenerateKey/action",
    "eventTimestamp": "2019-01-04T11:20:35.450865+00:00"
  },
  {
    "authorization": "Microsoft.Storage/storageAccounts/listKeys/action",
    "eventTimestamp": "2019-01-04T11:20:34.419170+00:00"
  },

  ...

  {
    "authorization": "Microsoft.Storage/storageAccounts/listKeys/action",
    "eventTimestamp": "2019-01-18T07:52:24.085801+00:00"
  },
  {
    "authorization": "Microsoft.Resources/checkPolicyCompliance/read",
    "eventTimestamp": "2019-01-17T19:49:55.367636+00:00"
  },
  {
    "authorization": "Microsoft.Storage/storageAccounts/listKeys/action",
    "eventTimestamp": "2019-01-17T19:39:46.066688+00:00"
  }
]

Check the "eventTimestamp" attribute value for any entries with the "authorization" attribute set to "Microsoft.Storage/storageAccounts/regenerateKey/action" to determine if there are any access key regeneration events triggered in the past 90 days. If there are no such entries or the timestamp returned by the "eventTimestamp" attribute is older than 90 days, there were no access credentials rotated in the past 90 days for the selected storage account.

05 Repeat step no. 3 and 4 for each resource group created within the current subscription.

06 Repeat steps no. 1 – 5 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To regenerate your Azure Storage account access keys in order to ensure that any inadvertent access or exposure does not result in these credentials being compromised, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts.

03 Click on the name of the storage account that holds the access keys that you want to regenerate (see Audit section part I to identify the right resource).

04 In the navigation panel, under Settings, choose Access keys. Your storage account access keys should be displayed on this page together with the complete connection string for each key.

05 Regenerating your access keys can affect the cloud applications that are dependent on these keys. To initiate the regeneration process, update the connection string(s) in your application code to use the secondary key (i.e. key2), available in the Connection string box.

06 Click on the Regenerate button next to key1 to regenerate the primary access key, then select Yes to confirm your action.

07 Once the new primary access key is successfully generated, update the connection string(s) within your application code to reference the new key.

08 Repeat steps no. 5 – 7 to regenerate the secondary access key in the same manner.

09 Repeat steps no. 3 – 8 for each storage account available in the current Azure subscription.

10 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI and PowerShell

01 Regenerating your access keys can affect the cloud applications that are dependent on these keys. To start the regeneration process, update all the connection string(s) available in your application code to use the secondary key (i.e. key2). To retrieve the connection string for the secondary access key, run storage account show-connection-string command (Windows/macOS/Linux) using the name of the storage account that contains the access keys that you want to regenerate as identifier parameter (see Audit section part II to identify the right account):

az storage account show-connection-string
	--name abcd1234abcd1234abcd1234
	--resource-group cloud-shell-storage-westeurope
	--key secondary

02 The command output should return the connection string for the secondary access key:

{
  "connectionString": "DefaultEndpointsProtocol=https;EndpointSuffix=core.windows.net;AccountName=abcd1234abcd1234abcd1234;AccountKey=abcdabcdabcdabcdabcdabcdabcdabcd"
}

03 Run storage account keys renew command (Windows/macOS/Linux) to regenerate the primary access key for the specified storage account:

az storage account keys renew
	--account-name abcd1234abcd1234abcd1234
	--resource-group cloud-shell-storage-westeurope
	--key primary

04 The command output should return the new primary access key (where "keyName" is set to "key1"):

[
  {
    "keyName": "key1",
    "permissions": "Full",
    "value": "aaaabbbbccccddddaaaabbbbccccdddd"
  },
  {
    "keyName": "key2",
    "permissions": "Full",
    "value": "abcdabcdabcdabcdabcdabcdabcdabcd"
  }
]

05 Update again the connection string(s) available in your application code to reference the new primary key (i.e. key1). To get the connection string for the regenerated primary access key, run storage account show-connection-string command (Windows/macOS/Linux) with the --key parameter set to primary:

az storage account show-connection-string
	--name abcd1234abcd1234abcd1234
	--resource-group cloud-shell-storage-westeurope
	--key primary

06 The command output should return the connection string for the new primary access key:

{
  "connectionString": "DefaultEndpointsProtocol=https;EndpointSuffix=core.windows.net;AccountName=abcd1234abcd1234abcd1234;AccountKey=aaaabbbbccccddddaaaabbbbccccdddd"
}

07 Repeat step no. 3 and 4 to regenerate the secondary access key in the same manner.

08 Repeat steps no. 1 – 7 for each storage account available in the current Azure subscription.

09 Repeat steps no. 1 – 8 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Jun 7, 2019