Ensure that your Microsoft Azure Storage SAS tokens are configured to expire within an hour in order to protect Azure cloud data against unauthorized access. In this way, even if your SAS tokens get compromised, they are valid only for a short time. A Shared Access Signature (SAS) is a URI that grants restricted access rights to your Azure Storage resources. The SAS token is the query string that includes all of the information required to authenticate the Shared Access Signature, as well as to specify the Azure Storage service and resource, the permissions required for access, and the time-frame for which the signature is valid.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
An SAS token is useful for providing limited permissions to your Azure Storage account to clients that should not have the account access key. Providing a Shared Access Signature (SAS) token to these clients allows them to access your resources for a specified period of time. To protect your storage account resources against unapproved access, the validity period configured for your SAS token should be set as low as possible, ideally no longer than an hour.
Audit
To determine if your storage account SAS tokens are set to expire within an hour, perform the following actions:
Note: Currently, SAS token expiration times cannot be audited using the Azure Management Console and/or the Azure CLI. Until Microsoft Azure makes token expiration time a setting rather than a parameter provided at token creation, the audit would require manual verification.Remediation / Resolution
To re-create your Shared Access Signature (SAS) tokens for compliance, use the start and the end time parameters in such a way that it expires within an hour. To create and configure compliant SAS tokens, perform the following actions:
References
- Azure Official Documentation
- Grant limited access to Azure Storage resources using shared access signatures (SAS)
- Grant limited access to Azure Storage resources using shared access signatures (SAS)
- Create an account SAS
- CIS Microsoft Azure Foundations
- Azure Command Line Interface (CLI) Documentation
- az
- az storage account generate-sas