π Azure Storage Account Shared Key Access is not disabled π’
- Contextual name: π Shared Key Access is not disabled π’
- ID:
/ce/ca/azure/storage/disable-shared-key-access - Located in: π Azure Storage
Flagsβ
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
Our Metadataβ
- Policy Type:
BEST_PRACTICE - Policy Category:
SECURITY
Logicβ
- π§ prod.logic.yaml π’
Descriptionβ
Descriptionβ
Every secure request to an Azure Storage account must be authorized. By default, requests can be authorized with either Microsoft Entra credentials or by using the account access key for Shared Key authorization.
Rationaleβ
Microsoft Entra ID provides superior security and ease of use compared to Shared Key and is recommended by Microsoft. To require clients to use Microsoft Entra ID for authorizing requests, you can disallow requests to the storage account that are authorized with Shared Key.
Impactβ
When you disallow Shared Key authorization for a storage account, any requests to the account that are authorized with Shared Key, including shared access signatures (SAS), will be denied. Client applications that currently access the storage account using the Shared Key will no longer function.
Auditβ
This policy flags an Azure Storage Account as
INCOMPLIANTif theShared Key Accessconfiguration is not set to Deny.Default Valueβ
The AllowSharedKeyAccess property of a storage account is not set by default and does not return a value until you explicitly set it. The storage account permits requests that are authorized with the Shared Key when the property value is null or when it is true.
... see more
Remediationβ
Remediationβ
From Azure Portalβ
- Go to
Storage accounts.- Click the name of a storage account.
- Under
Settings, clickConfiguration.- Under
Allow storage account key access, click the radio button next toDisabled.- Click
Save.- Repeat steps 1-5 for each storage account requiring remediation.
From Azure CLIβ
For each storage account requiring remediation, run the following command to disallow shared key authorization:
az storage account update --resource-group <resource-group> --name <storage-account> --allow-shared-key-access falseFrom PowerShellβ
For each storage account requiring remediation, run the following command to disallow shared key authorization:
Set-AzStorageAccount -ResourceGroupName <resource-group> -Name <storage-account> -AllowSharedKeyAccess $false
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ CIS Azure v4.0.0 β πΌ 10.3.1.3 Ensure 'Allow storage account key access' for Azure Storage Accounts is 'Disabled' (Automated) | 1 | |||
| πΌ Cloudaware Framework β πΌ Secure Access | 53 |