Ensure that Azure Storage account access keys are regenerated every 90 days in order to decrease the likelihood of accidental exposures and protect your storage account resources against unauthorized access.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
When a Microsoft Azure Storage account is created, Azure generates two 512-bit storage access keys to be used for authentication when storage resources such as blobs, files, tables and queues are accessed by applications. Rotating these credentials periodically will significantly reduce the chances that a compromised set of access keys can be used without your knowledge to access resources available in your storage account.
Note: Regenerating storage account access keys can affect services or applications that are dependent on these keys. All clients that use these access keys to access your storage account resources must be updated to use the new keys.
Audit
To determine if your storage account access keys are periodically regenerated (by default, every 90 days), perform the following actions:
Remediation / Resolution
To regenerate your Azure Storage account access keys in order to ensure that any inadvertent access or exposure does not result in these credentials being compromised, perform the following actions:
References
- Azure Official Documentation
- Create a storage account
- Manage storage account settings in the Azure portal
- CIS Microsoft Azure Foundations
- Azure Command Line Interface (CLI) Documentation
- az
- az storage account list
- az monitor activity-log list
- az storage account show-connection-string
- az storage account keys renew