Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Shared Access Signature Tokens Expire Within An Hour

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: StorageAccounts-004

Ensure that your Microsoft Azure Storage SAS tokens are configured to expire within an hour in order to protect Azure cloud data against unauthorized access. In this way, even if your SAS tokens get compromised, they are valid only for a short time. A Shared Access Signature (SAS) is a URI that grants restricted access rights to your Azure Storage resources. The SAS token is the query string that includes all of the information required to authenticate the Shared Access Signature, as well as to specify the Azure Storage service and resource, the permissions required for access, and the time-frame for which the signature is valid.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

An SAS token is useful for providing limited permissions to your Azure Storage account to clients that should not have the account access key. Providing a Shared Access Signature (SAS) token to these clients allows them to access your resources for a specified period of time. To protect your storage account resources against unapproved access, the validity period configured for your SAS token should be set as low as possible, ideally no longer than an hour.


Audit

To determine if your storage account SAS tokens are set to expire within an hour, perform the following actions:

Note: Currently, SAS token expiration times cannot be audited using the Azure Management Console and/or the Azure CLI. Until Microsoft Azure makes token expiration time a setting rather than a parameter provided at token creation, the audit would require manual verification.

Manual Verification

01 Find the Shared Access Signature (SAS) token defined within the SAS URL provided to your storage account clients. The SAS token starts with a question mark, followed by a set of different parameters, e.g. ?sv=2018-03-28&ss=bfqt&srt=sco&sp=rwdlacup&se=2019-06-05T19:59:21Z&st=2019-06-05T11:59:21Z&spr=https&sig=abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd. Identify the token expiration date defined as value (date and time format, UTC time) for the se parameter, for example se=2019-06-05T19:59:21Z. If the verified Shared Access Signature (SAS) token is not set to expire within an hour from its creation, the selected SAS token's configuration is not compliant.

02 Repeat step no. 1 for each Shared Access Signature (SAS) URL created for the current storage account.

03 Repeat step no. 1 and 2 for each storage account available within the selected subscription.

04 Repeat steps no. 1 – 3 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To re-create your Shared Access Signature (SAS) tokens for compliance, use the start and the end time parameters in such a way that it expires within an hour. To create and configure compliant SAS tokens, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts.

03 Click on the name of the storage account that holds the SAS token that you want to regenerate.

04 In the navigation panel, under Settings, choose Shared access signature.

05 On the Shared access signature page, perform the following actions to generate your new SAS token:

  1. From Allowed services, select the Azure Storage services accessible with the account SAS.
  2. From the Allowed resource types section, select the storage resource types accessible with the account SAS.
  3. From Allowed permissions, choose the permissions required for the account SAS. Permissions are valid only if they match the specified allowed resource type, otherwise, they are ignored.
  4. Use the Start and End date and time picker controls from the Start and expiry date/time section to configure the start and the end date/time during which the account SAS is valid. Make sure that the SAS validity period configured at this step is no longer that an hour.
  5. In the Allowed IP addresses box, enter the client IP address or range of IP addresses from which to accept requests.
  6. From Allowed protocols, choose the protocols permitted for requests made with the account SAS. We strongly recommend allowing requests over HTTPS only.
  7. From Signing key, select the access key used to authenticate the requests. Note that if you regenerate the selected access key, the existing SAS token will also need to be regenerated. This action will not interrupt access to disks from your Azure virtual machines (VMs).
  8. Click Generate SAS and connection string to create your new Azure Shared Access Signature (SAS).

06 Replace the Shared Access Signature (SAS) token defined within the SAS URL(s) provided to your storage account clients with the compliant token generated at the previous step (e.g. ?sv=2018-03-28&ss=bfqt&srt=sco&sp=rwdlacup&se=2019-06-11T12:33:50Z&st=2019-06-11T13:33:50Z&spr=https&sig=aaaabbbbccccddddaaaabbbbccccddddaaaabbbbccccdddd), available in the SAS token box.

07 If required, repeat step no. 5 and 6 to generate new Shared Access Signature (SAS) tokens.

08 Repeat steps no. 3 – 7 for each storage account available in the current Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI and PowerShell

01 First, configure the Shared Access Signature (SAS) validity period (in this case 1 hour):

end=`date -d "60 minutes" '+%Y-%m-%dT%H:%MZ'`

02 Next, run storage account generate-sas command (Windows/macOS/Linux) using the name of the storage account that holds the non-compliant SAS token as identifier parameter, to generate a new Shared Access Signature (SAS) for Blob, File, Queue and Table Azure Storage services on Linux, with a validity period of one hour:

az storage account generate-sas
	--permissions cdlruwap
	--account-name abcd1234abcd1234abcd1234
	--services bfqt
	--resource-types sco
	--expiry $end -otsv

03 The command output should return the new Shared Access Signature (SAS) parameters, e.g.:

se=2019-06-11T17%3A23Z&sp=rwdlacup&sv=2018-03-28&ss=qt&srt=sco&sig=abcdabc/abcd1234abcd%1234abcd1234abcd1234abcd%1234

04 If required, repeat steps no. 1 – 3 to generate new Shared Access Signature (SAS) tokens.

05 Repeat steps no. 1 – 4 for each storage account available in the current Azure subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Jun 12, 2019