Azure Storage Account Access Keys
Description
When you create a storage account, Azure generates two 512-bit storage account access keys. These keys can be used to authorize access to data in your storage account via Shared Key authorization. Leaking this key can thus compromise the concerned data.
Code Example
text
{
"POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{accountName}/revokeUserDelegationKeys?api-version=2021-04-01",
}Remediation
Azure
. Revoke the exposed secret. + To revoke a user delegation SAS, revoke the user delegation key to quickly invalidate all signatures associated with that key. + To revoke a service SAS that is associated with a stored access policy, you can delete the stored access policy, rename the policy, or change its expiry time to a time that is in the past. +
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1302 |
| Severity | HIGH |
| IaC Type | secrets |
| Frameworks | Git |
| Checkov ID | CKV_SECRET_3 |