Azure Storage account configured with Shared Key authorization
Description
This policy is checking for any instance where a storage account is configured with Shared Key authorization. This is a poor security practice as Shared Key authorization utilizes a single key for both read and write permissions, leading to potential security breaches. If the shared key is compromised, the attacker will have full access to the storage account. Therefore, it's ideal to use separate keys for different operations or use a more secure method of authorization like Azure AD based authorization.
Code Example
resource "azurerm_storage_account" "example" {
name = "storageaccountname"
...
shared_access_key_enabled = false
}Remediation
Terraform
- Resource: azurerm_storage_account
- Arguments: shared_access_key_enabled
To fix this issue, you should configure Azure Storage Service to use Azure Active Directory (Azure AD) for data plane authorization instead of shared key authorization. You can do this by ensuring that `shared_access_key_enabled` is set to disabled when creating a storage account.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0797 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV2_AZURE_40 |