Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services

Regenerate storage account access keys periodically.

Suggest Edits

Risk Level: High
Cloud Entity: Azure Storage Account
CloudGuard Rule ID: D9.AZU.CRY.39
Covered by Spectral: Yes
Category: Storage

GSL LOGIC

StorageAccount where allowSharedKeyAccess=true should have keysRegeneratedInThePast90Days=true

REMEDIATION

From Portal

  1. Login to Azure Portal using https://portal.azure.com
  2. Go to 'Storage Accounts'
  3. Under Timespan drop-down, select Custom and choose Start time and End time such that it ranges 90 days
  4. Enter 'RegenerateKey' in the Search text box
  5. Click Apply
    It should list out all RegenerateKey events. If no such event exists, then this is a finding.

Note: By default, access keys are not regenerated periodically

From TF

There is no AutoRotation argument found in terraform for keys, however the version of the key can be removed or omitted to enable Automatic Key rotation.

resource "azurerm_storage_account_customer_managed_key" "example" {
	..
	Key_version = KEYVERSION
	..
}

From Command Line

Get a list of storage accounts

az storage account list --subscription SUBSCRIPTIONID

Make a note of id, name and resourceGroup

For every storage account make sure that key is regenerated in past 90 days.

az monitor activity-log list --namespace Microsoft.Storage --offset 90d --query '[?contains(authorization.action, 'regeneratekey')]' --resource-id RESOURCEID

Keys can be regenerated using below command

az storage account keys renew --resource-group RESOURCEGROUP --account-name STORAGEACCOUNT --key primary

References

  1. https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal
  2. https://docs.microsoft.com/en-us/cli/azure/storage/account/keys?view=azure-cli-latest#az-storage-account-keys-renew
  3. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_customer_managed_key#key_version

Azure Storage Account

An Azure storage account provides a unique namespace to store and access your Azure Storage data objects. All objects in a storage account are billed together as a group. By default, the data in your account is available only to you, the account owner.

Compliance Frameworks

  • AZU PCI-DSS 4.0
  • Azure CIS Foundations v. 1.2.0
  • Azure CIS Foundations v. 1.3.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CloudGuard Best Practices
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset

Updated 7 months ago