Expire Shared Access Signature Tokens (2024)

Table of Contents
Audit Remediation / Resolution References Related StorageAccounts rules FAQs
  • Knowledge Base
  • Microsoft Azure
  • Storage Accounts
  • Expire Shared Access Signature Tokens

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)

Rule ID: StorageAccounts-004

Ensure that your Microsoft Azure Storage SAS tokens are configured to expire within an hour in order to protect Azure cloud data against unauthorized access. In this way, even if your SAS tokens get compromised, they are valid only for a short time. A Shared Access Signature (SAS) is a URI that grants restricted access rights to your Azure Storage resources. The SAS token is the query string that includes all of the information required to authenticate the Shared Access Signature, as well as to specify the Azure Storage service and resource, the permissions required for access, and the time-frame for which the signature is valid.

This rule resolution is part of the Conformity .

Expire Shared Access Signature Tokens (1) Security

An SAS token is useful for providing limited permissions to your Azure Storage account to clients that should not have the account access key. Providing a Shared Access Signature (SAS) token to these clients allows them to access your resources for a specified period of time. To protect your storage account resources against unapproved access, the validity period configured for your SAS token should be set as low as possible, ideally no longer than an hour.

Audit

To determine if your storage account SAS tokens are set to expire within an hour, perform the following actions:

Note: Currently, SAS token expiration times cannot be audited using the Azure Management Console and/or the Azure CLI. Until Microsoft Azure makes token expiration time a setting rather than a parameter provided at token creation, the audit would require manual verification.

Manual Verification

01 Find the Shared Access Signature (SAS) token defined within the SAS URL provided to your storage account clients. The SAS token starts with a question mark, followed by a set of different parameters, e.g. ?sv=2018-03-28&ss=bfqt&srt=sco&sp=rwdlacup&se=2019-06-05T19:59:21Z&st=2019-06-05T11:59:21Z&spr=https&sig=abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd. Identify the token expiration date defined as value (date and time format, UTC time) for the se parameter, for example se=2019-06-05T19:59:21Z. If the verified Shared Access Signature (SAS) token is not set to expire within an hour from its creation, the selected SAS token's configuration is not compliant.

02 Repeat step no. 1 for each Shared Access Signature (SAS) URL created for the current storage account.

03 Repeat step no. 1 and 2 for each storage account available within the selected subscription.

04 Repeat steps no. 1 – 3 for each subscription created in your Microsoft Azure cloud account.

See Also
Configurable token lifetimes - Microsoft identity platformHow can I know when my JWT token will expire?Refresh Tokens with OAuth 2.0 - LinkedInStorage account overview - Azure Storage

Remediation / Resolution

To re-create your Shared Access Signature (SAS) tokens for compliance, use the start and the end time parameters in such a way that it expires within an hour. To create and configure compliant SAS tokens, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts.

03 Click on the name of the storage account that holds the SAS token that you want to regenerate.

See Also
Create and manage blob leases with .NET - Azure Storage

04 In the navigation panel, under Settings, choose Shared access signature.

05 On the Shared access signature page, perform the following actions to generate your new SAS token:

  1. From Allowed services, select the Azure Storage services accessible with the account SAS.
  2. From the Allowed resource types section, select the storage resource types accessible with the account SAS.
  3. From Allowed permissions, choose the permissions required for the account SAS. Permissions are valid only if they match the specified allowed resource type, otherwise, they are ignored.
  4. Use the Start and End date and time picker controls from the Start and expiry date/time section to configure the start and the end date/time during which the account SAS is valid. Make sure that the SAS validity period configured at this step is no longer that an hour.
  5. In the Allowed IP addresses box, enter the client IP address or range of IP addresses from which to accept requests.
  6. From Allowed protocols, choose the protocols permitted for requests made with the account SAS. We strongly recommend allowing requests over HTTPS only.
  7. From Signing key, select the access key used to authenticate the requests. Note that if you regenerate the selected access key, the existing SAS token will also need to be regenerated. This action will not interrupt access to disks from your Azure virtual machines (VMs).
  8. Click Generate SAS and connection string to create your new Azure Shared Access Signature (SAS).

06 Replace the Shared Access Signature (SAS) token defined within the SAS URL(s) provided to your storage account clients with the compliant token generated at the previous step (e.g. ?sv=2018-03-28&ss=bfqt&srt=sco&sp=rwdlacup&se=2019-06-11T12:33:50Z&st=2019-06-11T13:33:50Z&spr=https&sig=aaaabbbbccccddddaaaabbbbccccddddaaaabbbbccccdddd), available in the SAS token box.

07 If required, repeat step no. 5 and 6 to generate new Shared Access Signature (SAS) tokens.

08 Repeat steps no. 3 – 7 for each storage account available in the current Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI and PowerShell

01 First, configure the Shared Access Signature (SAS) validity period (in this case 1 hour): 

end=`date -d "60 minutes" '+%Y-%m-%dT%H:%MZ'`

02 Next, run storage account generate-sas command (Windows/macOS/Linux) using the name of the storage account that holds the non-compliant SAS token as identifier parameter, to generate a new Shared Access Signature (SAS) for Blob, File, Queue and Table Azure Storage services on Linux, with a validity period of one hour: 

az storage account generate-sas--permissions cdlruwap--account-name abcd1234abcd1234abcd1234--services bfqt--resource-types sco--expiry $end -otsv

03 The command output should return the new Shared Access Signature (SAS) parameters, e.g.: 

se=2019-06-11T17%3A23Z&sp=rwdlacup&sv=2018-03-28&ss=qt&srt=sco&sig=abcdabc/abcd1234abcd%1234abcd1234abcd1234abcd%1234

04 If required, repeat steps no. 1 – 3 to generate new Shared Access Signature (SAS) tokens.

05 Repeat steps no. 1 – 4 for each storage account available in the current Azure subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Jun 12, 2019

Related StorageAccounts rules

  • Check for Publicly Accessible Web Containers (Security)
  • Enable Infrastructure Encryption (Security)
  • Review Storage Accounts with Static Website Configuration (Security)
  • Allow Shared Access Signature Tokens Over HTTPS Only (Security)

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Expire Shared Access Signature Tokens (2)

No thanks, back to article

You are auditing:

Expire Shared Access Signature Tokens

Risk Level: Medium

Expire Shared Access Signature Tokens (2024)

FAQs

What is a shared access signature token? ›

A shared access signature is a token that is appended to the URI for an Azure Storage resource. The token that contains a special set of query parameters that indicate how the resources may be accessed by the client.

Read On
How to check the expiry of SAS? ›

The validity interval for the SAS is calculated by subtracting the date/time value of the signed start field from the date/time value of the signed expiry field. If the resulting value is less than or equal to the recommended upper limit, then the SAS is in compliance with the SAS expiration policy.

Discover More Details
How long should SAS tokens last? ›

Providing a Shared Access Signature (SAS) token to these clients allows them to access your resources for a specified period of time. To protect your storage account resources against unapproved access, the validity period configured for your SAS token should be set as low as possible, ideally no longer than an hour.

Continue Reading
What are the recommended best practices of a shared access signature compromised? ›

If a SAS is compromised, you will want to revoke that SAS as soon as possible. To revoke a user delegation SAS, revoke the user delegation key to quickly invalidate all signatures associated with that key.

See Details
What is the difference between shared access signature and token? ›

A shared access signature is a signed URI that points to one or more storage resources and includes a token that contains a special set of query parameters. The token indicates how the resources may be accessed by the client.

Find Out More
What is the difference between access key and shared access signature? ›

Shared Access Signatures provide granular control to your storage. Access keys give you full rights to everything in your storage account, but with SAS you're able to limit the access capabilities of its users.

Tell Me More
How do I check my expiry date? ›

Physical Card: The expiry date is prominently displayed on the front of your credit card. It is usually printed as a two-digit month followed by a two-digit year (MM/YY). This indicates the month and year when your card will expire.

Show Me More
Where can I check expiry date? ›

Look for a date accompanied with “use by,” “sell by,” or “best by.” X Trustworthy Source American Heart Association Leading nonprofit that funds medical research and public education Go to source Check the bottom of the product, the sides of the container, the lid, and the necks of bottles.

Explore More
What happens when a SAS license expires? ›

SAS licenses expire every year on a specific date, after which time SAS will not will not launch. You must purchase SAS again then follow the steps below to renew your license (no need to reinstall). If you need to install the SAS software (not just renew the license), please see SAS Installation Instructions.

Continue Reading
Should access tokens expire? ›

As mentioned, for security purposes, access tokens may be valid for a short amount of time. Once they expire, client applications can use a refresh token to "refresh" the access token.

Show Me More

Do access tokens expire? ›

Access tokens to expire, their default lifetime is ~1h and can be configured to up to ~24h (28h).

Read The Full Story
When should tokens expire? ›

Give tokens an expiration: Technically, once a token is signed, it is valid forever—unless the signing key is changed or expiration explicitly set.

See Details
What are the 2 types of shared access signatures? ›

There are two types of SAS: service-level SAS and account-level SAS. 1. Service-level SAS: This type of SAS grants access to a specific resource, such as a file or a blob, and has a limited scope.

Get More Info Here
What are the risks of SAS token? ›

SAS tokens become a serious security risk when misconfigured, especially when sharing information with external entities. If compromised, a misconfigured SAS token can make the entire system vulnerable.

Continue Reading
What are the potential risks of using shared access signature (SAS)? ›

If a SAS token gets into the wrong hands, the perpetrator can have prolonged or even indefinite access to your resources, potentially leading to data breaches, unauthorized transactions, or other forms of cybercrime.

View More
How do I create a shared access signature token? ›

Get SAS token from the Azure Portal
  1. Navigate to the blob container.
  2. Under. Settings. ...
  3. In the. Signing method. ...
  4. If you select the Account key signing method, select the. Signing key. ...
  5. In the. Permissions. ...
  6. Set the start and expiry date during which the SAS token is valid.
  7. In the. Allowed IP addresses. ...
  8. Click. Generate SAS token and URL.

View Details
What is one reason to use a shared access signature instead of an account key? ›

You can provide a shared access signature to clients who shouldn't be trusted with your storage account key but who need access to certain storage account resources. By distributing a SAS URI to these clients, you can grant them access to a resource for a specified period of time, with a specified set of permissions.

See More
What are SAS tokens used for? ›

SAS tokens are used to grant permissions to storage resources, and should be protected in the same manner as an account key. Operations that use SAS tokens should be performed only over an HTTPS connection, and SAS URIs should only be distributed on a secure connection such as HTTPS.

Learn More
Top Articles
How to check screen resolution on Android
How to benchmark & test battery life on an Android phone
Myxoom Texas Account
Brookshire Brothers Pay Portal
Latest Posts
Coinbase offers zero-fee trading for $29.99 monthly subscription
Are Rope Worms Real?
Article information

Author: Jeremiah Abshire

Last Updated:

Views: 5989

Rating: 4.3 / 5 (54 voted)

Reviews: 85% of readers found this page helpful

Author information

Name: Jeremiah Abshire

Birthday: 1993-09-14

Address: Apt. 425 92748 Jannie Centers, Port Nikitaville, VT 82110

Phone: +8096210939894

Job: Lead Healthcare Manager

Hobby: Watching movies, Watching movies, Knapping, LARPing, Coffee roasting, Lacemaking, Gaming

Introduction: My name is Jeremiah Abshire, I am a outstanding, kind, clever, hilarious, curious, hilarious, outstanding person who loves writing and wants to share my knowledge and understanding with you.