Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
Regenerate storage account access keys periodically.
Risk Level: High
Cloud Entity: Azure Storage Account
CloudGuard Rule ID: D9.AZU.CRY.39
Covered by Spectral: Yes
Category: Storage
GSL LOGIC
StorageAccount where allowSharedKeyAccess=true should have keysRegeneratedInThePast90Days=true
REMEDIATION
From Portal
- Login to Azure Portal using https://portal.azure.com
- Go to 'Storage Accounts'
- Under Timespan drop-down, select Custom and choose Start time and End time such that it ranges 90 days
- Enter 'RegenerateKey' in the Search text box
- Click Apply
It should list out all RegenerateKey events. If no such event exists, then this is a finding.
Note: By default, access keys are not regenerated periodically
From TF
There is no AutoRotation argument found in terraform for keys, however the version of the key can be removed or omitted to enable Automatic Key rotation.
resource "azurerm_storage_account_customer_managed_key" "example" {
..
Key_version = KEYVERSION
..
}
From Command Line
Get a list of storage accounts
az storage account list --subscription SUBSCRIPTIONID
Make a note of id, name and resourceGroup
For every storage account make sure that key is regenerated in past 90 days.
az monitor activity-log list --namespace Microsoft.Storage --offset 90d --query '[?contains(authorization.action, 'regeneratekey')]' --resource-id RESOURCEID
Keys can be regenerated using below command
az storage account keys renew --resource-group RESOURCEGROUP --account-name STORAGEACCOUNT --key primary
References
- https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal
- https://docs.microsoft.com/en-us/cli/azure/storage/account/keys?view=azure-cli-latest#az-storage-account-keys-renew
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_customer_managed_key#key_version
Azure Storage Account
An Azure storage account provides a unique namespace to store and access your Azure Storage data objects. All objects in a storage account are billed together as a group. By default, the data in your account is available only to you, the account owner.
Compliance Frameworks
- AZU PCI-DSS 4.0
- Azure CIS Foundations v. 1.2.0
- Azure CIS Foundations v. 1.3.0
- Azure CIS Foundations v. 1.3.1
- Azure CIS Foundations v. 1.4.0
- Azure CIS Foundations v. 1.5.0
- Azure CIS Foundations v.2.0
- Azure CloudGuard Best Practices
- Azure NIST 800-53 Rev 5
- CloudGuard Azure All Rules Ruleset
Updated over 1 year ago