Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
Access Keys authenticate application access requests to data contained in Storage Accounts. A periodic rotation of these keys is recommended to ensure that potentially compromised keys cannot result in a long-term exploitable credential.
Risk Level: High
Cloud Entity: Azure Storage Account
CloudGuard Rule ID: D9.AZU.CRY.50
Covered by Spectral: No
Category: Storage
GSL LOGIC
StorageAccount should have keyPolicy.keyExpirationPeriodInDays>0
REMEDIATION
From Portal
- Go to Storage Accounts.
- For each Storage Account that is not compliant, go to Access keys.
- Click Set rotation reminder.
- Check Enable key rotation reminders.
- In the Send reminders field select Custom, then set the Remind me every field to 90 and the period drop down to Days.
- Click Save.
Note: By default, Key rotation reminders is not configured.
References
- https://docs.microsoft.com/en-us/azure/storage/common/storage-create-storage-account#regenerate-storage-access-keys
- https://workbench.cisecurity.org/sections/1460909/recommendations/2349069
Azure Storage Account
An Azure storage account provides a unique namespace to store and access your Azure Storage data objects. All objects in a storage account are billed together as a group. By default, the data in your account is available only to you, the account owner.
Compliance Frameworks
- Azure CIS Foundations v. 1.5.0
- Azure CIS Foundations v.2.0
- Azure CloudGuard Best Practices
- Azure NIST 800-53 Rev 5
- CloudGuard Azure All Rules Ruleset
Updated over 1 year ago