Severity Framework
CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Snyk CCSS
Rule category
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Data/ Access Control
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
CIS-AzureCIS-Controls
- Snyk IDSNYK-CC-00704
- creditSnyk Research Team
Description
Compromised credentials can be reused for a long period of time.
How to fix?
Set sasExpirationPeriod attribute value to 1 hour or less.
Example Configuration
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2021-04-01",
"name": "example704a1",
"location": "eastus",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"accessTier": "Hot",
"allowBlobPublicAccess": false,
"minimumTlsVersion": "TLS1_2",
"networkAcls": {
"bypass": "AzureServices",
"virtualNetworkRules": [],
"ipRules": [],
"defaultAction": "Allow"
},
"sasPolicy": {
"expirationAction": "Log",
"sasExpirationPeriod": "00.01:00:00"
}
}
}
]
}
Set expiry attribute to 1 hour in the future.
Example Configuration
data "azurerm_storage_account_sas" "allowed" {
connection_string = azurerm_storage_account.example704a.primary_connection_string
https_only = true
signed_version = "2017-07-29"
resource_types {
service = true
container = false
object = false
}
services {
blob = true
queue = false
table = false
file = false
}
permissions {
read = true
write = true
delete = false
list = false
add = true
create = true
update = false
process = false
tag = false
filter = false
}
start = "2023-01-01T00:00:00Z"
expiry = "2023-01-01T01:00:00Z"
}