🛡️ Azure Storage Account Shared Key Access is not disabled🟢
- Contextual name: 🛡️ Shared Key Access is not disabled🟢
- ID:
/ce/ca/azure/storage/disable-shared-key-access - Tags:
- Policy Type:
BEST_PRACTICE - Policy Categories:
SECURITY
Logic
Description
Description
Every secure request to an Azure Storage account must be authorized. By default, requests can be authorized with either Microsoft Entra credentials or by using the account access key for Shared Key authorization.
Rationale
Microsoft Entra ID provides superior security and ease of use compared to Shared Key and is recommended by Microsoft. To require clients to use Microsoft Entra ID for authorizing requests, you can disallow requests to the storage account that are authorized with Shared Key.
Impact
When you disallow Shared Key authorization for a storage account, any requests to the account that are authorized with Shared Key, including shared access signatures (SAS), will be denied. Client applications that currently access the storage account using the Shared Key will no longer function.
Audit
This policy flags an Azure Storage Account as
INCOMPLIANTif theShared Key Accessconfiguration is not set to Deny.Default Value
The AllowSharedKeyAccess property of a storage account is not set by default and does not return a value until you explicitly set it. The storage account permits requests that are authorized with the Shared Key when the property value is null or when it is true.
... see more
Remediation
Remediation
From Azure Portal
- Go to
Storage accounts.- Click the name of a storage account.
- Under
Settings, clickConfiguration.- Under
Allow storage account key access, click the radio button next toDisabled.- Click
Save.- Repeat steps 1-5 for each storage account requiring remediation.
From Azure CLI
For each storage account requiring remediation, run the following command to disallow shared key authorization:
az storage account update --resource-group <resource-group> --name <storage-account> --allow-shared-key-access falseFrom PowerShell
For each storage account requiring remediation, run the following command to disallow shared key authorization:
Set-AzStorageAccount -ResourceGroupName <resource-group> -Name <storage-account> -AllowSharedKeyAccess $false
policy.yaml
Linked Framework Sections
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| 💼 CIS Azure v4.0.0 → 💼 10.3.1.3 Ensure 'Allow storage account key access' for Azure Storage Accounts is 'Disabled' (Automated) | 1 | no data | |||
| 💼 Cloudaware Framework → 💼 Secure Access | 55 | no data |