I am receiving this notification from the Defender "Insecure Azure storage account connection string"

Pradeep Khantwal 60 Reputation points
2024-03-14T08:31:19.06+00:00

I am receiving this notification from the Defender "Insecure Azure storage account connection string"

Defender for Cloud found a plaintext storage account connection string. It is important to secure the connection string to avoid its leakage or misuse.

Workloads might contain unprotected credentials and secrets. Threat actors use these to move laterally across networks, searching for sensitive data and ways to damage critical information systems. Security teams need to locate secrets hosted in the cloud and mitigate the resulting.

How to remediate it?

Azure Storage
Azure Storage
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,544 questions
Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Deepanshu katara 16,945 Reputation points MVP Moderator
    2024-03-14T09:23:08.64+00:00

    Hi,

    Your application needs to access the connection string at runtime to authorize requests made to Azure Storage. You have several options for storing your account access keys or connection string:

    • You can store your account keys securely in Azure Key Vault. For more information, see About Azure Key Vault managed storage account keys.
    • You can store your connection string in an environment variable.
    • An application can store the connection string in an app.config or web.config file. Add the connection string to the AppSettings section in these files.

    Please check this doc for more details

    https://learn.microsoft.com/en-us/azure/storage/common/storage-configure-connection-string

    Please accept answer if it helps, Thanks


  2. Nehruji R 8,181 Reputation points Microsoft External Staff Moderator
    2024-03-18T08:44:59.9733333+00:00

    Hello Pradeep,

    Greetings! Welcome to Microsoft Q&A Forum.

    Azure storage account connection strings is crucial to prevent unauthorized access and potential data breaches adding to above response you can also use SAS tokens with limited scope instead of account keys.

    Shared Key authorization for blobs, files, queues, and tables. A client using Shared Key passes a header with every request that is signed using the storage account access key. For more information, see Authorize with Shared Key.

    Microsoft recommends that you disallow Shared Key authorization for your storage account. When Shared Key authorization is disallowed, clients must use Azure AD or a user delegation SAS to authorize requests for data in that storage account. For more information, see Prevent Shared Key authorization for an Azure Storage account.

    Shared access signatures for blobs, files, queues, and tables. Shared access signatures (SAS) provide limited delegated access to resources in a storage account via a signed URL. The signed URL specifies the permissions granted to the resource and the interval over which the signature is valid. A service SAS or account SAS is signed with the account key, while the user delegation SAS is signed with Azure AD credentials and applies to blobs only. For more information, see Using shared access signatures (SAS).

    You can use Azure role-based access control (Azure RBAC) to manage a security principal's permissions to blob, queue, and table resources in a storage account. You can also use Azure attribute-based access control (ABAC) to add conditions to Azure role assignments for blob resources.

    https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview#user-delegation-sas

    User delegation SAS A user delegation SAS is secured with Azure Active Directory (Azure AD) credentials and also by the permissions specified for the SAS. A user delegation SAS applies to Blob storage only.

    Service SAS A service SAS is secured with the storage account key. A service SAS delegates access to a resource in only one of the Azure Storage services: Blob storage, Queue storage, Table storage, or Azure Files.

    Account SAS An account SAS is secured with the storage account key. An account SAS delegates access to resources in one or more of the storage services. All of the operations available via a service or user delegation SAS are also available via an account SAS.

    Never store access keys or connection strings directly in your code or configuration files. Instead, use secure methods to manage them.

    Similar doc for reference - https://stackoverflow.com/questions/69814482/where-is-azure-storage-account-connection-string-in-azure-portal, https://stackoverflow.com/questions/2338650/connection-string-to-an-azure-cloud-storage-account,https://learn.microsoft.com/en-us/aspnet/web-forms/overview/data-access/advanced-data-access-scenarios/protecting-connection-strings-and-other-configuration-information-cs.

    Please let us know if you have any more questions and we will be glad to assist you further. Thank you!

    Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.