Ensure that 'Enable key rotation reminders' is enabled for each Storage Account

Access Keys authenticate application access requests to data contained in Storage Accounts. A periodic rotation of these keys is recommended to ensure that potentially compromised keys cannot result in a long-term exploitable credential.

Risk Level: High
Cloud Entity: Azure Storage Account
CloudGuard Rule ID: D9.AZU.CRY.50
Covered by Spectral: No
Category: Storage


StorageAccount should have keyPolicy.keyExpirationPeriodInDays>0


From Portal

  1. Go to Storage Accounts.
  2. For each Storage Account that is not compliant, go to Access keys.
  3. Click Set rotation reminder.
  4. Check Enable key rotation reminders.
  5. In the Send reminders field select Custom, then set the Remind me every field to 90 and the period drop down to Days.
  6. Click Save.

Note: By default, Key rotation reminders is not configured.


  1. https://docs.microsoft.com/en-us/azure/storage/common/storage-create-storage-account#regenerate-storage-access-keys
  2. https://workbench.cisecurity.org/sections/1460909/recommendations/2349069

Azure Storage Account

An Azure storage account provides a unique namespace to store and access your Azure Storage data objects. All objects in a storage account are billed together as a group. By default, the data in your account is available only to you, the account owner.

Compliance Frameworks

  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CloudGuard Best Practices
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset