SAS token has long expiry time Affecting Storage service in Azure

Severity Framework Snyk CCSS

Rule category Data / Access Control

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Azure CIS-Controls

Snyk ID SNYK-CC-00704
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Compromised credentials can be reused for a long period of time.

How to fix?

Set sasExpirationPeriod attribute value to 1 hour or less.

Example Configuration

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "resources": [
{
            "type": "Microsoft.Storage/storageAccounts",
            "apiVersion": "2021-04-01",
            "name": "example704a1",
            "location": "eastus",
            "sku": {
                "name": "Standard_LRS",
                "tier": "Standard"
            },
            "kind": "StorageV2",
            "properties": {
                "accessTier": "Hot",
                "allowBlobPublicAccess": false,
                "minimumTlsVersion": "TLS1_2",
                "networkAcls": {
                    "bypass": "AzureServices",
                    "virtualNetworkRules": [],
                    "ipRules": [],
                    "defaultAction": "Allow"
                },
                "sasPolicy": {
                    "expirationAction": "Log",
                    "sasExpirationPeriod": "00.01:00:00"
                }
            }
        }
    ]
}

ARM

Microsoft.Storage storageAccounts

Terraform

azurerm_storage_account_sas

References

Grant limited access to Azure Storage resources using shared access signatures (SAS)