question

AdityaKota-2602 avatar image
0 Votes"
AdityaKota-2602 asked ·

Ensure that shared access signature tokens expire within an hour

I want address a CIS control 3.4 Ensure that shared access signature tokens expire within an hour

Additional info the control

https://paper.bobylive.com/Security/CIS/CIS_Microsoft_Azure_Foundations_Benchmark_v1_1_0.pdf

Control number 3.4.

I was hoping to address this recommendation to create a stored access policy on the blob container with dynamic values for date and time variables or i am open to any other ideas. Also realized when researching this that SAS tokens are not logged in the Azure Activity

azure-information-protection
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JamesTran-MSFT avatar image
0 Votes"
JamesTran-MSFT answered ·

Hi @AdityaKota-2602

Thank you for the recommendation!

When generated a SAS token within the portal you can also assign a specific "start and expiry date/time", which should make it easier for users to manage expiration times.

Within the Activity Logs, I noticed that the "generating" of the actual SAS token wasn't logged either. However, since the SAS token is issued to specific users for certain actions such as "read, write, delete, create, etc...", the actions performed by the user using the SAS token should be logged within the activity logs.

Please let me know if you have any other questions.

Thank you!


Additional Links:
Activity Logs




·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AdityaKota-2602 avatar image
0 Votes"
AdityaKota-2602 answered ·

Thanks James!


We can educate users to generate SAS tokens for that duration but i was thinking if there is policy that is governing this process it would be ideal for an enterprise to adhere to framework such as CIS.


So, based on your response there isnt way to generate Stored access policies dynamically? or is there any other way to achieve this SAS token duration limit?

· 3 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@AdityaKota-2602

I was able to look further into this issue and found that you can create stored access policies to provide an additional level of control over service-level shared access signatures. Please see below for more info along with some best practices.


Define a stored access policy

Best practices when using SAS





Please let me know if you have any other questions.

Thank you!



0 Votes 0 ·

@AdityaKota-2602

Hopefully my above post helped with your question. Please let me know if you have any other questions regarding this issue.

Thank you!

0 Votes 0 ·

Hi @AdityaKota-2602,

Please let us know if this reply helped resolve your question. If so, please remember to "mark as answer" so that others in the community facing similar issues can more easily find a solution.

0 Votes 0 ·