Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Allow Shared Access Signature Tokens Over HTTPS Only

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: StorageAccounts-005

Ensure that your Microsoft Azure Storage SAS tokens are configured to allow access requests over the HTTPS protocol only. A Shared Access Signature (SAS) is a URI that grants restricted access rights to your Azure Storage resources. A SAS token is the query string that includes all of the information required to authenticate the Shared Access Signature, as well as to specify the Azure Storage service and resource, the permissions required for access, and the time-frame for which the signature is valid.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

To adhere to cloud security best practices, always use the HTTPS protocol when creating or providing a Shared Access Signature (SAS) to your clients. If a SAS is passed over HTTP and intercepted, an attacker performing a man-in-the-middle attack should be able to read the SAS token and use it to compromise sensitive data or allow for data corruption.

Audit

To determine if your storage account SAS tokens are allowed over HTTPS protocol only, perform the following actions:

Note: Currently, the SAS token configuration cannot be audited using the Azure Management Console and/or the Azure CLI. Until Microsoft Azure makes SAS transfer protocol a setting rather than a parameter provided at token creation, the audit process would require manual verification.

Manual Verification

01 Locate the Shared Access Signature (SAS) token defined within the SAS URL provided to your storage account clients. The SAS token starts with a question mark, followed by a set of various parameters, e.g. ?sv=2018-03-28&ss=bfqt&srt=sco&sp=rwdlacup&se=2019-06-11T10:25:43Z&st=2019-06-11T11:25:43Z &spr=https,http&sig=abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd. Identify the communication protocol used for the verified token, defined as value for the spr parameter, for example spr=https,http. If the spr parameter is not set to HTTPS only (i.e. spr=https), the selected Shared Access Signature (SAS) token's configuration is not compliant.

02 Repeat step no. 1 for each Shared Access Signature (SAS) URL created for the current storage account.

03 Repeat step no. 1 and 2 for each storage account available within the selected subscription.

04 Repeat steps no. 1 – 3 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To re-create your Shared Access Signature (SAS) tokens for compliance, use the SignedProtocol (spr) parameter to configured the tokens to allow access requests over HTTPS only. To create and configure compliant SAS tokens, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts.

03 Click on the name of the storage account that holds the SAS token that you want to regenerate.

04 In the navigation panel, under Settings, choose Shared access signature to access the SAS generator.

05 On the Shared access signature generator page, perform the following actions to create your new SAS token:

  1. From Allowed services, select the Azure Storage services accessible with the Shared Access Signature.
  2. From the Allowed resource types section, select the storage resource types accessible with the SAS.
  3. From Allowed permissions, choose the permissions required for the account SAS. Permissions are valid only if they match the specified allowed resource type, otherwise these permissions are ignored.
  4. Use the Start and End date and time picker controls from the Start and expiry date/time section to configure the start and the end date/time during which the account SAS is valid. Cloud Conformity strongly recommends a SAS validity period no longer that an hour.
  5. In the Allowed IP addresses box, enter the client IP address or range of IP addresses from which to accept access requests.
  6. From Allowed protocols, select HTTPS only to allow access requests over HTTPS protocol only.
  7. From Signing key, select the access key used to authenticate the requests. If the selected access key is regenerated over the SAS lifetime, the SAS token will also need to be regenerated. This action will not interrupt access to disks from your Azure virtual machines.
  8. Click Generate SAS and connection string to create your new Azure Shared Access Signature (SAS).

06 Replace the Shared Access Signature (SAS) token defined within the SAS URL(s) provided to your storage account clients with the compliant token generated at the previous step (e.g. ?sv=2018-03-28&ss=bfqt&srt=sco&sp=rwdlacup&se=2019-06-11T12:33:40Z&st=2019-06-11T13:33:40Z&spr=https&sig=aaaabbbbccccddddaaaabbbbccccddddaaaabbbbccccdddd), available in the SAS token box.

07 If required, repeat step no. 5 and 6 to generate new Shared Access Signature (SAS) tokens.

08 Repeat steps no. 3 – 7 for each storage account available in the current Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI and PowerShell

01 Define the Shared Access Signature (SAS) validity period (the recommended value for this parameter is 1 hour): 

end=`date -d "60 minutes" '+%Y-%m-%dT%H:%MZ'`

02 Run storage account generate-sas command (Windows/macOS/Linux) using the name of the storage account that utilize the non-compliant SAS token as identifier parameter, to generate a new Shared Access Signature (SAS) for Blob, File, Queue and Table Azure Storage services, with a validity period of one hour, that allows access requests over HTTPS protocol only: 

az storage account generate-sas
	--permissions cdlruwap
	--account-name aaaabbbbccccddddaaaabbbb
	--services bfqt
	--resource-types sco
	--https-only
	--expiry $end -otsv

03 The command output should return the parameters for the new Shared Access Signature: 

se=2019-06-11T17%3A23Z&sp=rwdlacup&sv=2018-03-28&ss=qt&srt=sco&sig=abcabc/abcd1234abcd1234abcd1234abcd1234abcd1234

04 If required, repeat steps no. 1 – 3 to generate new Shared Access Signature (SAS) tokens.

05 Repeat steps no. 1 – 4 for each storage account available in the current Azure subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Jun 12, 2019

Related StorageAccounts rules