List storage keys operation executed on storage accounts in subscription

Question

We have multiple storage accounts in subscription. In some of the non-related, or non-active storage accounts, we have seen Activity Logs reporting List Storage Keys operation. We would like to understand which tools or Azure Resources would be using this operation, although the particular storage account is not accessed directly by the email mentioned in "Event initiated by" column.

Our guess is, we have a storage explorer being used by the teammates locally in their machine, which implicitly uses this operation to identify all the storage accounts in the subscription. But our doubt is, would "List Keys" be used if the actual storage account blade is not expanded to identify containers (or other resources) in it, neither from Portal nor from Storage Explorer? Or would there be any other service connected to an "actual storage account (one in use)", but using "List Keys" across different/all SAs in the subscription?

Answer 1

Hello @Chintan Rajvir ,
Thanks for your query !
List Storage Keys will not be logged when you just access the storage account using Azure Portal UI with out expanding any resources under it , those operations will be specific to the storage account under that particular subscription.

1) List Access Keys - will be logged when you try to access Classic Storage Accounts.
2) List Storage Account Keys - For ARM Storage accounts , When you try to access the resources under the storage account either using Azure Portal UI or Storage Account Explorer . This also happens when you try to access using REST APIs like (POST https://management.azure.com/subscriptions/subid/resourceGroups/rgname/providers/Microsoft.Storage/storageAccounts/stroageaccountname/listKeys?api-version=2021-01-01)

Same with while trying to access using Storage Account explorer.

You can always see the detailed JSON logs under Monitor | Activity Log | Select Operation Name | JSON response.